b"U.S. Department of Justice\nOffice of the Inspector General\nEvaluation and Inspections Division\n\n\n\n\n                               Review of the\n                          Department of Justice\xe2\x80\x99s\n                           Reporting Procedures\n                           for Loss of Sensitive\n                          Electronic Information\n\n                                          June 2007\n\n\n\n\n                                      I-2007-005\n\x0c                                  INTRODUCTION\n\n\n      The federal government\xe2\x80\x99s loss of sensitive information, often stored\non laptop computers (laptops), has generated significant concern.1 For\nexample, in May 2006 a laptop with 26.5 million records containing\nsensitive information on veterans and their spouses was stolen from a\nDepartment of Veterans Affairs employee. In June 2006, the Department\nof Agriculture disclosed that three of its systems were compromised,\npotentially making available the names, social security numbers, and\nphotographs of 26,000 of its employees, contractors, and retirees in the\nWashington, D.C., area. In August 2006, a laptop containing personal\ninformation on 30,000 Navy applicants, recruiters, and prospects fell off\na motorcycle belonging to a recruiter and was observed by a roadside\nworker being picked up by someone in a car.\n\n       According to a 2006 report on federal agency data breaches by the\nHouse Committee on Government Reform, 19 federal departments and\nagencies have reported hundreds of instances of loss of personally\nidentifiable information (PII) since January 2003.2 The number of\nindividuals affected in each incident ranged from 1 to 26.5 million. The\ntype of information lost and potentially compromised included personal\ninformation such as names, home addresses, photographs, dates of\nbirth, social security numbers, fingerprints, medical information, tax\ninformation, earnings records, user passwords, law enforcement\ninformation requests, and personal information on law enforcement\nemployees.\n\n\n\n        1 The Department of Justice defines sensitive information in its Security\n\nProgram Operating Manual as, \xe2\x80\x9cAny information, the loss, misuse, modification of, or\nunauthorized access to, could affect the national interest, law enforcement activities,\nthe conduct of Federal programs, or the privacy to which individuals are entitled under\nSection 552a of Title 5, U.S. Code, but that has not been specifically authorized under\ncriteria established by an executive order or an act of Congress to be kept classified in\nthe interest of national defense or foreign policy.\xe2\x80\x9d\n\n       2  See Committee on Government Reform, U.S. House of Representatives, 109th\nCongress, Agency Data Breaches Since January 1, 2003, October 13, 2006. According\nto Office of Management and Budget (OMB) Memorandum M-06-19, July 12, 2006, PII\nis defined as \xe2\x80\x9cany information about an individual maintained by an agency, including,\nbut not limited to, education, financial transactions, medical history and criminal or\nemployment history and information which can be used to distinguish or trace an\nindividual\xe2\x80\x99s identity, such as their name, social security number, date and place of\nbirth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other personal\ninformation which is linked or linkable to an individual.\xe2\x80\x9d\n\n\nU.S. Department of Justice                                                                  i\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       These incidents highlight the risk that PII and other sensitive data\ncan be compromised when computers or storage media such as disks,\nCD-ROMs, and flash drives, are lost or stolen. The PII on lost or stolen\ncomputers or storage media can be used to commit fraud or identity\ntheft. Further, other types of sensitive information, such as proprietary\nbusiness information or sensitive law enforcement information, could be\ninappropriately disclosed or copied for purposes of industrial espionage,\nretaliation, or other crimes.\n\n       Because of the importance of these issues, the OIG conducted this\nreview to identify the policies and procedures nine Department\ncomponents are required to follow to (1) report and identify losses of\nsensitive information, including PII and classified information, and\n(2) notify affected parties of losses of their sensitive information.3\n\n       The report begins with a background section that provides\ninformation about the roles and responsibilities of the staff within the\nDepartment\xe2\x80\x99s Office of the Chief Information Officer and the development\nof the Department\xe2\x80\x99s reporting procedures by that office. The report then\ndescribes the Department\xe2\x80\x99s reporting and incident response procedures.\nThe report also contains appendices that provide a detailed description of\neach of the nine components\xe2\x80\x99 reporting procedures and policies.\n\n       This review is intended to provide an overview of the policies and\nprocedures the Department has established to respond to and report\ncomputer security incidents.4 However, in this review, we did not verify\nthat components followed Department reporting procedures or verify the\naccuracy of the data contained in the database used by the Department\nto track these incidents. Rather, the intent of this review was to identify\n\n\n        3 The nine components reviewed were the Bureau of Alcohol, Tobacco, Firearms\n\nand Explosives; Federal Bureau of Prisons; Criminal Division; Drug Enforcement\nAdministration; Executive Office for United States Attorneys; Federal Bureau of\nInvestigation; Justice Management Division; Tax Division; and United States Marshals\nService. These nine components were chosen because they accounted for a\nlarge percentage of the total number of all computer security incidents, including PII\nand other sensitive data loss incidents, reported to the Department between December\n2005 and November 2006.\n\n       4 According to DOJCERT, a computer security incident is any unexpected,\nunplanned event that could have a negative impact on IT resources. Computer security\nincidents can include the loss of both classified and unclassified systems, unauthorized\nremoval of computer equipment, and exploited weaknesses in a computer system that\nallows unauthorized access to password files. DOJCERT considers losses of sensitive\ninformation to be a subset of computer security incidents.\n\n\nU.S. Department of Justice                                                             ii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cwhat policies had been established, and what procedures were being\nfollowed in reporting computer security incidents.\n\n\n\n\nU.S. Department of Justice                                           iii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                               RESULTS IN BRIEF\n\n\n      The Department has developed a computer security Incident\nResponse Plan that provides standard reporting procedures that all\nDepartment components are required to follow. In December 2003, the\nDepartment developed a template to standardize procedures\nDepartment-wide for responding to and handling computer security\nincidents. The template includes detailed instructions for handling and\nreporting computer security incidents. The Department\xe2\x80\x99s Computer\nEmergency Readiness Team (DOJCERT) developed this Incident\nResponse Plan template under the direction of the Department\xe2\x80\x99s Chief\nInformation Officer and has updated it periodically to reflect new\nstatutory and Office of Management and Budget (OMB) requirements and\nemerging computer security threats.5\n\n       In November 2006, the Department included in the template for\nthe first time reporting requirements for PII and other data loss\nincidents. The new requirements include a 1-hour timeframe for\nreporting these incidents and define the information that components\nneed to gather when a PII or other data loss occurs or when data has\nbeen potentially compromised. The 1-hour timeframe was first\nestablished by OMB in July 2006 in a memorandum issued to the Chief\nInformation Officers of all federal agencies.\n\n      All of the Department\xe2\x80\x99s components are required to develop their\nown Incident Response Plans that conform to the template. The nine\nDepartment components the OIG reviewed have all developed their own\ncomponent-specific Incident Response Plans that follow the template.\nHowever, as of April 2007, two of the nine components had not yet\nsubmitted their revised Incident Response Plans to DOJCERT for\napproval.\n\n      To supplement their Incident Response Plans, the components\nhave developed internal policies, memorandums, or practices for their\nemployees that provide more detailed reporting and incident response\nprocedures within their own internal chains of command. While all nine\n\n\n       5   DOJCERT is the organization to which all Department components are\nrequired to report computer security incidents, including PII and other data loss\nincidents. Established in 2000 within the Department\xe2\x80\x99s Office of the Chief Information\nOfficer, it operates 24 hours a day, 7 days a week. A more detailed explanation of\nDOJCERT\xe2\x80\x99s role and responsibilities is provided in the Background section of this\nreport.\n\n\nU.S. Department of Justice                                                           iv\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ccomponents reviewed have multiple policies, two of the components have\npolicies that provide contradictory or faulty chain-of-command reporting\nprocedures. Specifically, ATF\xe2\x80\x99s staff has received contradictory\ninstructions on which office is the primary point of contact for reporting\ncomputer security incidents. In addition, the USMS\xe2\x80\x99s policy instructs\nemployees to report computer security incidents to staff titles and\ninternal departments that either no longer exist or are inaccurate.\n\n       Four of the nine components have developed separate procedures\nfor staff to follow if an incident is reported after normal business hours.\nOne component\xe2\x80\x99s procedures were the same 24 hours a day. The\nremaining four components have no specific written procedures covering\nsuch incidents.6 We found that at least 19 percent of the incidents\nreported between December 2005 and November 2006 occurred after\nhours (6:00 p.m. to 6:00 a.m.).\n\nReporting Procedures\n\n       Officials interviewed in the nine components told us that they\nbelieved that their employees were following the correct internal chain-of-\ncommand reporting procedures when reporting computer security\nincidents. Although this review did not examine or verify that employees\nactually were following Department or component procedures, we did\nnote two issues, one specific to a component and one affecting multiple\ncomponents. In reviewing the information that one component \xe2\x80\x93 the\nFederal Bureau of Investigation (FBI) \xe2\x80\x93 provided and information from\nDOJCERT\xe2\x80\x99s database, we noticed a discrepancy between the number of\nlost electronic devices that had been reported within the FBI and the\nnumber of lost electronic devices that the FBI had reported to\nDOJCERT.7 We sought additional information to determine whether the\nFBI\xe2\x80\x99s employees were following reporting procedures. We also found\nindications that most of the components were not always reporting\ncomputer security incidents in a timely manner.\n\nCompliance with Reporting Procedures\n\n     We found that the FBI did not always follow its or the\nDepartment\xe2\x80\x99s reporting procedures. Specifically, the FBI did not report\n\n       6 Two of these components have developed draft procedures, but as of April\n2007, those procedures had not yet been issued.\n\n       7 DOJCERT maintains the Department\xe2\x80\x99s Incident Response and Vulnerability\n\nPatch Database. commonly called the Archer Database. See pages 18-19 of this report\nfor a more detailed explanation of how we identified this discrepancy.\n\n\nU.S. Department of Justice                                                            v\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0call incidents involving the loss of electronic devices to DOJCERT or all\nincidents involving classified information to the Department\xe2\x80\x99s Security\nand Emergency Planning Staff.8 The FBI received internal reports of 35\nlost or stolen laptops between December 2005 and November 2006.\nAlthough the FBI is required by the Department\xe2\x80\x99s Incident Response Plan\ntemplate to report such losses to DOJCERT, the FBI did so for only 7 of\nthose laptops. Additionally, the FBI received internal reports of 107\nclassified computer security incidents during that same time period, but\ndid not report any of these incidents to the Security and Emergency\nPlanning Staff as required in the Department\xe2\x80\x99s Security Program\nOperating Manual. This manual requires all Department components to\nreport all classified incidents related to information technology (IT) to the\nDepartment\xe2\x80\x99s Security Officer and DOJCERT. We also did not examine\nwhether the Department\xe2\x80\x99s other 31 components are reporting all\nclassified computer security incidents to the Security and Emergency\nPlanning Staff and DOJCERT as required.\n\nTimeliness of Reporting All Computer Security Incidents\n\n       We examined 1,501 computer security incidents in the DOJCERT\nArcher Database that were reported by the 9 components between\nDecember 1, 2005, and November 30, 2006, and determined that the\ncomponents were not always meeting the timeframes established in the\nIncident Response Plans. In particular, we found that the components\nwere not meeting the 1-hour reporting timeframe established by the\nDepartment and OMB for reporting computer security incidents involving\nPII.9 Only one of the nine components reviewed, the Tax Division,\nsubmitted timely reports for nearly all of its computer security incidents.\n\n\n\n        8 The Security and Emergency Planning Staff (SEPS) is required to track all\n\nreports of losses of classified information for the Department. A more detailed\nexplanation of SEPS\xe2\x80\x99s role and responsibilities is provided in the Background section of\nthis report.\n\n       9  DOJ, Reporting Incidents Involving Data Loss and Personally Identifiable\nInformation, Vance Hitch, CIO, August 7, 2006; and OMB Memorandum M-06-19 for\nChief Information Officers, Reporting Incidents Involving Personally Identifiable\nInformation and Incorporating the Cost for Security in Agency Information Technology\nInvestments, Karen S. Evans, July 12, 2006. The former document establishes a\n1-hour reporting timeframe after the discovery or detection of a security incident for\ncomponents to report to DOJCERT and the latter document established a 1-hour\ntimeframe for DOJCERT to report to the Department of Homeland Security\xe2\x80\x99s United\nStates Computer Emergency Readiness Team (US-CERT). US-CERT is a partnership\nbetween the Department of Homeland Security and the public and private sectors\nestablished in 2003 to protect the nation\xe2\x80\x99s Internet infrastructure.\n\n\nU.S. Department of Justice                                                               vi\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      The DOJCERT Incident Response Plan template and the\ncomponents\xe2\x80\x99 Incident Response Plans include reporting timeframes for\neach of seven categories of computer security incidents, such as\nUnauthorized Access and Improper Usage, that all Department\ncomponents are required to report to DOJCERT.10 We found that\nbetween December 2005 and November 2006, the Tax Division made\ntimely reports for 95 percent of its reported computer security incidents.\nThe other eight components made timely reports for between 37 percent\nand 84 percent of their security incidents.\n\n      For PII incidents in the nine components, we found that only\n15 percent were reported to DOJCERT within 1 hour of occurrence, and\nnone of these incidents were subsequently reported to US-CERT within\nthe same 1-hour timeframe. Further, DOJCERT reported only\n12 percent of PII incidents to US-CERT within 1 hour of the time it\nreceived notification from the components.11 Officials from three\ncomponents remarked that the 1-hour timeframe was impractical and\nunrealistic.\n\n       OMB\xe2\x80\x99s guidance and the Department\xe2\x80\x99s guidance differ as to when\nthe 1-hour timeframe begins and ends. On July 12, 2006, OMB issued a\nmemorandum requiring federal agencies to report computer security\nincidents involving PII to US-CERT within 1 hour of discovery.12 The\nDepartment\xe2\x80\x99s November 2006 revision of the Incident Response Plan\ntemplate requires that the components report PII incidents to DOJCERT\nwithin 1 hour of discovery. Our analyses found that the guidance in the\nDOJCERT Incident Response Plan template appears to conflict with the\nJuly 12, 2006, OMB memorandum. The timeliness standard in OMB\xe2\x80\x99s\npolicy requires that incidents be reported to US-CERT within 1 hour of\ndiscovery or detection. By allowing 1 hour for reporting just to\nDOJCERT, the Department\xe2\x80\x99s incident response plan does not ensure\ncompliance with OMB\xe2\x80\x99s 1-hour reporting requirement for US-CERT.\nComponent staff, in fact, told us that employees interpret the OMB\nrequirement to mean that they have 1 hour to report to DOJCERT.\n\n\n\n       10See Appendix XII for a description of the seven categories and the associated\ntimeframes. An additional category is used for training exercises only.\n\n       11 The period we used for measuring timeliness in reporting PII incidents was\n\nbetween July 12, 2006 (when OMB began requiring that PII incidents be reported within\n1 hour), and November 30, 2006.\n\n       12   OMB Memorandum M-06-19.\n\n\nU.S. Department of Justice                                                          vii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       For our analysis, we assessed the amount of time that that elapsed\nbetween an incident\xe2\x80\x99s occurrence and when the component reported the\nincident to DOJCERT. For those incidents that were reported within 1\nhour to DOJCERT, we determined if they were also reported to US-CERT\nwithin the same 1-hour period. We also assessed the amount of time\nthat elapsed between when DOJCERT received notice of an incident and\nwhen DOJCERT reported that incident to US-CERT.\n\nEnsuring that All Incidents Are Reported\n\n      Officials from the nine components reviewed all identified training\nas the primary method for ensuring employees are aware of the reporting\nrequirements. The two training courses most often mentioned were the\nDepartment\xe2\x80\x99s annual Computer Security Awareness Training and the\ncomponents\xe2\x80\x99 Information Technology Rules of Behavior.\n\nNotification to Affected Parties\n\n        There is no Department requirement to notify the affected parties\nin the event of loss of PII, and none of the nine components we reviewed\nhas a policy addressing the notification of affected parties. Further,\naccording to a recent Government Accountability Office report,\n\xe2\x80\x9c. . . existing laws do not require agencies to notify the public when data\nbreaches occur . . . .\xe2\x80\x9d13 However, the Department\xe2\x80\x99s Privacy and Civil\nLiberties Office is currently finalizing a Department-wide notification\npolicy.\n\nDetermining Type of Data Lost\n\n       To determine if sensitive information may have been lost or\ncompromised during a reportable computer security incident, all nine\ncomponents stated that they interview the employee who reported the\nincident. For most components, this consists of informal questioning in\nan attempt to assist the employee in reconstructing what occurred and to\nidentify the information that a lost electronic device contained. Five\ncomponents also supplement the employee\xe2\x80\x99s interview by using computer\nforensic techniques to determine what information or files were stored or\naccessed by the employee. For example, the Criminal Division and the\nDrug Enforcement Administration reported that for incidents involving a\n\n       13 Testimony of David M. Walker, Comptroller General, Government\n\nAccountability Office, Privacy: Preventing and Responding to Improper Disclosures of\nPersonal Information (GAO-06-833T), before the House Committee on Government\nReform, June 8, 2006.\n\n\nU.S. Department of Justice                                                             viii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0clost BlackBerry device, the BlackBerry Exchange Server allows them to\nidentify the e-mails that were received and sent the last time the device\nwas used.\n\nDefinitions of Sensitive Information, PII, and Reportable Data Loss\n\n       The Department has developed a standard definition for sensitive\ninformation but has not developed its own definitions for PII and a\nreportable data loss. Seven of the components we reviewed have also\ndeveloped definitions of sensitive information while the remaining two\ncomponents use the Department\xe2\x80\x99s definition. The components\xe2\x80\x99\ndefinitions are similar to the one the Department issued in its Security\nProgram Operating Manual.\n\n       To define PII, the Department relies on OMB\xe2\x80\x99s July 12, 2006,\nmemorandum. However, two components stated that this definition may\nlead components to over-designate information as PII because the OMB\ndefinition is too broad and overly vague. Most of the components\nexpressed the opinion that the Department needs to develop its own\ndefinition of PII.\n\n      We found no standard Department definition of a reportable data\nloss. The components provided a variety of answers when defining a\nreportable data loss. Their responses were generally in line with the\ncauses of data loss that the DOJCERT Incident Response Plan template\ndescribes, such as hacker intrusion through network and system\ndefenses or the loss or theft of a laptop, removable storage medium, or\nportable computing device containing PII or sensitive information.\n\nBest Practices in Increasing Employee Awareness\n\n     Four of the nine components are taking additional steps to either\nminimize unauthorized access to sensitive information or educate\nemployees on their reporting responsibilities. For example:\n\n       \xe2\x80\xa2   The Tax Division reinforces employees\xe2\x80\x99 awareness of the 1-hour\n           reporting requirement for loss of PII by posting this information\n           prominently on its intranet.\n\n       \xe2\x80\xa2   The Criminal Division displays a variety of security tips,\n           including procedures for reporting computer security incidents,\n           on the computer monitors when employees first log in.\n\n\n\n\nU.S. Department of Justice                                                  ix\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       \xe2\x80\xa2    JMD Personnel staff receive verbal briefings on the procedures\n            for reporting computer security incidents when they are given\n            the equipment necessary to use the Justice Secure Remote\n            Access system and also receive a wallet card summarizing those\n            reporting procedures.\n\n       \xe2\x80\xa2    BOP policy requires that to remove sensitive information from a\n            BOP facility, an employee must obtain written approval from the\n            Chief Executive Officer (CEO) of the facility. When requesting\n            approval, the medium of the sensitive information (e.g., paper\n            documents, electronic files), a description of the equipment\n            being used and the contents, and the purpose for the removal\n            must be documented along with the CEO\xe2\x80\x99s approval.14\n\nRecent Developments and Future Plans\n\n       The Department frequently updates its guidance on data loss\nincidents and privacy issues and changes its policies to address newly\nidentified needs. For example, the Department\xe2\x80\x99s Privacy and Civil\nLiberties Office and Office of the Chief Information Officer are developing\na Department-wide policy on notifying affected parties in the event of loss\nof PII. Once this policy is finalized, DOJCERT plans to issue an\naddendum to its Incident Response Plan template explaining the\nnotification procedures and the components\xe2\x80\x99 roles in them. Additionally,\nthe Department stated that DOJCERT plans to release an Incident\nResponse Handbook during fiscal year 2007. The handbook will provide\nguidance to the components on information-gathering techniques during\nand following an incident, techniques for determining the type of data\nincluded on lost equipment, and methods for identifying the level of\nresidual risk associated with each incident.\n\nConclusion and Recommendations\n\n       The Department has developed an Incident Response Plan\ntemplate to standardize the procedures that all Department components\nare required to follow to report computer security incidents. However, as\nof April 2007, two of the nine components have not updated their\nIncident Response Plans to conform to the Department\xe2\x80\x99s November 2006\nrevision, which requires all computer security incidents involving PII to\nbe reported within 1 hour. The same two components have also issued\ninternal policies that have contradictory instructions on the primary\npoint of contact for reporting computer security incidents and that direct\n\n       14   BOP, Information Security, P1237.13, March 31, 2006, Chapter 2, p. 14.\n\n\nU.S. Department of Justice                                                           x\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cemployees to contact officials with non-existent titles in departments that\nno longer exist. Another area where we found divergence among the\ncomponents was in procedures for reporting incidents that occur after\nnormal business hours. Four of the components have developed\nadditional reporting procedures for incidents reported after hours, one\ncomponent\xe2\x80\x99s procedures are the same 24 hours a day, and the remaining\nfour components do not have specific written procedures covering after-\nhours incidents.\n\n       While all of the components stated that they believed their staff\nfollowed procedures established for reporting computer security incidents\nthrough their chains of command to component headquarters, we found\nthat the FBI was not always following the reporting procedures outlined\nin its or the Department\xe2\x80\x99s Incident Response Plans.\n\n      We also found that components were not always reporting\ncomputer security incidents to DOJCERT within the timeframes\nestablished in the Department\xe2\x80\x99s Incident Response Plan template. In\nparticular, the components were not consistently reporting PII incidents\nwithin 1 hour to DOJCERT, and none of the PII incidents in the\nDepartment were reported to US-CERT within 1 hour of discovery or\ndetection. DOJCERT and component staff interpret the guidance from\nthe Department and OMB differently as to whom the incident is to be\nreported to within 1 hour. Therefore, we believe clarification is needed\non who must receive the report within 1 hour of discovery or detection \xe2\x80\x93\ncomponent IT staff, DOJCERT, or US-CERT.\n\n       Neither the Department nor any of the components we reviewed\nhave developed procedures for notifying affected individuals in the event\nof a loss of PII, which could cause a delay in notifying affected individuals\nand increase their risk of falling victim to fraud or identity theft. The\nDepartment is developing a policy on this issue, and we believe it should\nbe promptly finalized and distributed to Department components.\n\n       The Department has issued a standard definition of sensitive\ninformation in its Security Program Operating Manual, and seven\ncomponents have developed component-specific definitions of sensitive\ninformation that are similar to the Department\xe2\x80\x99s definition. However, the\nDepartment has not developed its own definitions of PII and what\nconstitutes a reportable data loss. At least seven of the nine components\nexpressed the opinion that the Department should develop its own, more\nspecific definition of PII.\n\n\n\n\nU.S. Department of Justice                                                 xi\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      Four components have developed what we consider to be Best\nPractices to increase employee awareness of the reporting requirements\nfor computer security incidents. We believe the Department and its other\ncomponents should examine these practices and determine if any should\nbe adopted Department-wide.\n\n      To help the Department improve its computer security incident\nreporting procedures, including the procedures for reporting data loss\nand classified incidents, we recommend that the Department:\n\n       1. Require all components to ensure their procedures cover\n          reporting of after-hours incidents.\n\n       2. Review the components\xe2\x80\x99 procedures for reporting classified\n          incidents to ensure those procedures comply with the standards\n          in the Department\xe2\x80\x99s Security Program Operating Manual.\n\n       3. Clarify the requirement that all losses of PII be reported within\n          1 hour and to whom so that all Department employees\n          understand who to report to and when the 1-hour timeframe\n          begins and ends.\n\n       4. Ensure all components meet the established reporting\n          timeframes.\n\n       5. Promptly implement a Department-wide policy for notifying\n          affected individuals in the event of a loss of PII.\n\n       6. Develop a Department-specific definition of PII.\n\n       7. Consider whether any of the procedures described as \xe2\x80\x9cBest\n          Practices\xe2\x80\x9d should be implemented across the Department.\n\n       8. Ensure that components update their internal policies to reflect\n          correct reporting procedures in conformance with the DOJCERT\n          Incident Response Plan template and contain up-to-date titles\n          of internal departments and staff.\n\n\n\n\nU.S. Department of Justice                                                xii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                                  TABLE OF CONTENTS\n\n\nINTRODUCTION ......................................................................................i\nRESULTS IN BRIEF ............................................................................... iv\nLIST OF ACRONYMS ........................................................................... xiv\nBACKGROUND.......................................................................................1\nPURPOSE, SCOPE, AND METHODOLOGY OF THE OIG REVIEW..........10\nRESULTS OF THE REVIEW ..................................................................14\nReporting and Responding to Computer Security Incidents...................14\n   Written Procedures ..........................................................................14\n   Compliance with Reporting Procedures ............................................17\n   Timeliness of Reporting All Computer Security Incidents..................19\n   Ensuring that All Incidents Are Reported .........................................26\n   Notification to Affected Parties .........................................................27\nDetermining the Type of Data Lost........................................................27\nDefining Sensitive Information, PII, and Reportable Data Loss ..............28\nBest Practices in Increasing Employee Awareness.................................29\nRecent Developments and Future Plans................................................30\nConclusion and Recommendations .......................................................33\nAPPENDIX I: ATF REPORTING PROCEDURES.....................................37\nAPPENDIX II: BOP REPORTING PROCEDURES ...................................45\nAPPENDIX III: CRIMINAL DIVISION REPORTING PROCEDURES .........52\nAPPENDIX IV: DEA REPORTING PROCEDURES..................................58\nAPPENDIX V: EOUSA AND USAO REPORTING PROCEDURES ............64\nAPPENDIX VI: FBI REPORTING PROCEDURES ...................................71\nAPPENDIX VII: JMD REPORTING PROCEDURES ................................83\nAPPENDIX VIII: TAX DIVISION PROCEDURES.....................................89\nAPPENDIX IX: USMS REPORTING PROCEDURES ...............................95\nAPPENDIX X: ACTS, DIRECTIVES, AND STANDARDS .......................103\nAPPENDIX XI: COMPONENT POLICIES ..............................................107\nAPPENDIX XII: SEVEN CATEGORIES OF SECURITY INCIDENTS AND\n   REQUIRED TIMEFRAMES FOR REPORTING INCIDENTS...............111\nAPPENDIX XIII: OFFICE OF THE CHIEF INFORMATION OFFICER\n   RESPONSE....................................................................................113\nAPPENDIX XIV: OIG ANALYSIS OF THE OFFICE OF THE CHIEF\n   INFORMATION OFFICER RESPONSE ............................................116\nAPPENDIX XV: DEA RESPONSE........................................................120\nAPPENDIX XVI: OIG ANALYSIS OF THE DEA RESPONSE..................123\nAPPENDIX XVII: USMS RESPONSE ...................................................125\nAPPENDIX XVIII: OIG ANALYSIS OF THE USMS RESPONSE .............127\n\n\nU.S. Department of Justice                                                                     xiii\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                              LIST OF ACRONYMS\n\n\nATF            Bureau of Alcohol, Tobacco, Firearms and Explosives\nBOP            Federal Bureau of Prisons\nCEO            Chief Executive Officer\nCIO            Chief Information Officer\nCRM            Criminal Division\nDEA            Drug Enforcement Administration\nDOJCERT        Department of Justice Computer Emergency Readiness\n               Team\nEOUSA          Executive Office for United States Attorneys\nFBI            Federal Bureau of Investigation\nFISMA          Federal Information Security Management Act\nISSO           Information Systems Security Officer\nIT             Information Technology\nJMD            Justice Management Division\nNCIC           National Crime Information Center\nNIST           National Institute of Standards and Technology\nOIG            Office of the Inspector General\nOMB            Office of Management and Budget\nPII            Personally Identifiable Information\nSEPS           Security and Emergency Planning Staff\nSPOM           The Department of Justice\xe2\x80\x99s Security Program Operating\n               Manual\nUSAO           United States Attorney\xe2\x80\x99s Office\nUS-CERT        United States Computer Emergency Readiness Team\nUSMS           United States Marshals Service\n\n\n\n\nU.S. Department of Justice                                              xiv\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                                   BACKGROUND\n\n\n      The background section provides information about the roles and\nresponsibilities of the staff within the Department\xe2\x80\x99s Office of the Chief\nInformation Officer and the development of the Department\xe2\x80\x99s computer\nsecurity incident reporting procedures by that office. We also describe\nthe Department\xe2\x80\x99s reporting requirements for classified computer security\nincidents.\n\nThe Chief Information Officer\n\n       Within the Department of Justice (Department), the management\nand protection of sensitive information, including personally identifiable\ninformation (PII), falls under the responsibility of the Office of the Chief\nInformation Officer (CIO). The CIO, who is also the Deputy Assistant\nAttorney General for Information Resource Management, is responsible\nfor overseeing the management, acquisition, and integration of the\nDepartment\xe2\x80\x99s information resources, including:\n\n       \xe2\x80\xa2    Formulating Department-wide information technology (IT)\n            policies and strategic plans;\n       \xe2\x80\xa2    Ensuring that investments in IT processes are aligned with the\n            Department\xe2\x80\x99s overall strategic goals, budget, and enterprise\n            architecture;\n       \xe2\x80\xa2    Making recommendations concerning the IT budget requests of\n            the Department\xe2\x80\x99s components; and\n       \xe2\x80\xa2    Overseeing the security of the Department\xe2\x80\x99s information\n            systems.15\n\n      The creation of the role of CIOs in the government is attributed to\nthe Clinger-Cohen Act of 1996, previously called the Information\nTechnology Management Reform Act of 1996.16 This Act mandates a CIO\nin each federal agency.\n\n\n\n\n       15   Attorney General Order 2572-2002 designates the CIO to carry out the duties\nassigned under 40 U.S.C. \xc2\xa7 1425. DOJ Order 2880.1B, Information Resources\nManagement Program, September 27, 2005, further establishes the authority of the\nOffice of the CIO in the Department and outlines the office\xe2\x80\x99s duties and responsibilities.\n\n      16 Designation of Chief Information Officers, 44 U.S.C. \xc2\xa7 3506,\n\nFebruary 10, 1996.\n\n\nU.S. Department of Justice                                                              1\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      Since the appointment of the current CIO in 2002, the following IT\nsecurity policies have been issued:\n\n   July 2002              DOJ IT Strategic Plan\n   November 2003          DOJ Order 2640.2E, Information Technology\n                          Security\n   May 2004               DOJ Computer System User Rules of Behavior\n   May 2005               DOJ Security Program Operating Manual\n   September 2005         DOJ Order 2880.1B, Information Resources\n                          Management Program\n   November 2005          DOJ Order 2740.1, Use and Monitoring of DOJ\n                          Computers and Computer Systems\n   June 2006              DOJ IT Strategic Plan, Fiscal Years 2006-2011\n   August 2006            Information Technology Security Program\n                          Management Plan\n   November 2006          DOJ Incident Response Plan Template,\n                          (originally created in December 2003, updated\n                          annually)\n   December 200617        IT Security Standards (17 policies)\n   December 2006          DOJ Configuration Management Plan\n\nIn these documents, the Department has established extensive security\npolicies and incident response procedures for the Department\xe2\x80\x99s IT\nsystems. Additionally, several memorandums have been issued by the\nCIO providing further requirements on reporting computer security\nincidents, particularly those involving loss of PII.\n\n      The Office of the CIO falls organizationally within the Department\xe2\x80\x99s\nJustice Management Division (JMD).18 The CIO has supervisory\nresponsibility for five offices. One of these five offices is the Information\n\n       17   The Federal Information Security Management Act (FISMA) of 2002 mandates\nthat all IT systems in the government must undergo certification and accreditation once\nevery 3 years. The National Institute for Standards and Technology (NIST) issued\ngovernment-wide technical guidance for the certification and accreditation process in\nSpecial Publication 800-53, Recommended Security Controls for Federal Information\nSystems (February 2005). The publication identifies 17 categories of information\nsecurity, called \xe2\x80\x9ccontrol families,\xe2\x80\x9d and sets minimum security standards within each\ncontrol family. The Office of the CIO has written 17 separate policies describing how\nthe Department will meet the standards in each control family.\n\n       18 JMD is the management arm of the Department and is led by the Assistant\n\nAttorney General for Administration. The four offices in JMD are the Controller;\nHuman Resources; Information Resource Management; and Policy, Management, and\nPlanning.\n\n\nU.S. Department of Justice                                                           2\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cTechnology Security Staff, whose mission is to ensure the protection of\nthe Department\xe2\x80\x99s information systems that collect, process, transmit,\nstore, or disseminate either classified or Sensitive But Unclassified\ninformation, including PII.19 The Information Technology Security Staff is\nheaded by the Chief Information Security Officer. See Chart 1 for the\nOffice of the CIO organization chart.\n\n             Chart 1: Organizational Chart for the Office of\n                     the Chief Information Officer\n\n                          Chief\n                       Information\n                          Officer\n\n\n                                                     Information\n                    Chief Information                Technology\n                     Security Officer                  Security\n                                                       Council\n\n\n\n                       Information\n                       Technology\n                      Security Staff\n\n\n\n\n                        DOJCERT\n\n\n\nThe Chief Information Security Officer\n\n       In June 2003, the CIO appointed a Chief Information Security\nOfficer to help support the Department\xe2\x80\x99s IT security mission and goals,\nand to develop and maintain a Department-wide information security\nprogram. This program includes issuing procedures for detecting,\nreporting, and responding to security incidents, and conducting periodic\nrisk assessments that seek to identify the magnitude of harm that could\nresult from unauthorized access, use, disclosure, disruption,\n\n\n\n\n       19 The other four offices under the CIO are E-Government Services, Policy and\n\nPlanning, Operations Services, and Enterprise Solutions.\n\n\nU.S. Department of Justice                                                             3\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cmodification, or destruction of the information and information systems\nthat support the operations and assets of the Department.20\n\n       The Chief Information Security Officer also is responsible for\nensuring the Department\xe2\x80\x99s compliance with various federal laws,\nstandards, and directives regarding electronic information security, such\nas the E-Government Act of 2002, the Federal Information Security\nManagement Act (FISMA) of 2002, the Privacy Act of 1974, National\nInstitute of Standards and Technology (NIST) standards, and Office of\nManagement and Budget (OMB) and DOJ directives. (See Appendix X for\na summary description of each of these laws, standards, and directives.)\n\nThe CIO\xe2\x80\x99s Information Technology Security Council\n\n       The CIO created an Information Technology Security Council (the\nCouncil), chaired by the Chief Information Security Officer, in August\n2003 to address the security goals outlined in the Department\xe2\x80\x99s IT\nSecurity Program Management Plan, which is the guiding document for\nmanaging the Department\xe2\x80\x99s overall IT security program. The plan\nestablishes goals and performance measures; identifies initiatives,\nresources, schedules, and controls; provides templates, guidelines, and\ntools for IT staff to ensure systems meet federal and Department\ncertifications and accreditations; and describes IT security management\nstrategies, roles and responsibilities, program implementation, and the\ngoals and action plans for the security program.\n\n       The Council is composed of IT security staff from each of the\nDepartment\xe2\x80\x99s components. The Council created four project\nmanagement teams devoted to different areas of IT security.21 These\nteams develop templates and implementation guidance documents, and\ntest cases for developing, implementing, and testing the security controls\nin the specific areas of security that are covered by each team.\n\n      Cyber Defense Operations Team. The Department\xe2\x80\x99s response to a\ncomputer security incident is handled by the Cyber Defense Operations\nTeam, which is chaired by the Department of Justice Computer\nEmergency Readiness Team\xe2\x80\x99s (DOJCERT) Project Manager and also\nincludes representation from all of the Department components. The\n\n       20Information Technology Security Program Management Plan, Version 5.41,\nAugust 2006.\n\n       21 The four project management teams are the IT Security Employee Services\n\nTeam, the Computing Environment and Enclave Defense Team, the Cyber Defense\nOperations Team, and the Certification and Accreditation Management Team.\n\n\nU.S. Department of Justice                                                          4\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cteam meets monthly to discuss changes in incident reporting standards\nand procedures. Any comments are incorporated into the Incident\nResponse Plan template, which is updated at the beginning of each fiscal\nyear. For example, in the November 2006 Incident Response Plan\ntemplate, DOJCERT included for the first time reporting requirements for\nincidents of PII and data loss, and defined the information that\ncomponents need to gather when a data loss occurs or when data has\nbeen potentially compromised.\n\nDOJCERT\n\n      DOJCERT was established in 2000 within the Information\nTechnology Security Staff to fulfill the Department\xe2\x80\x99s obligations under\nthe Government Information Security Reform Act, which directed federal\nagencies to \xe2\x80\x9cestablish procedures for detecting, reporting, and\nresponding to security incidents.\xe2\x80\x9d22 In November 2003, the Department\nupdated its Information Technology Security order to require all\ncomponents to respond to and report all computer security incidents to\nDOJCERT in accordance with rules set forth by DOJCERT.23 These\nrequirements for incident response and reporting are also part of the\nDepartment\xe2\x80\x99s efforts to attain the goals in Homeland Security\nPresidential Directive 7, which established a national policy for federal\ndepartments and agencies to identify and prioritize United States critical\ninfrastructure and key resources and to protect them from terrorist\nattacks.24\n\n      DOJCERT is a centralized incident response team that provides\nDepartment-wide support for computer security incidents and can be\ncontacted 24 hours a day, 7 days a week.25 The CIO has assigned\nDOJCERT the responsibility to provide leadership and guidance to all\nDepartment components in incident response planning and plan\nevaluation. DOJCERT\xe2\x80\x99s stated objective is to work in coordination with\nall Department component incident response teams to provide a central\n\n\n\n       22Pub. L. No. 106-398, the Government Information Security Reform Act,\nOctober 30, 2000. This Act expired in November 2002 and was superseded by FISMA\nin December 2002.\n\n       23   DOJ Order 2640.2E, Information Technology Security, November 28, 2003.\n\n        24 Homeland Security Presidential Directive 7, Critical Infrastructure\n\nIdentification, Prioritization, and Protection, December 17, 2003.\n\n       25   DOJCERT is located in Rockville, Maryland.\n\n\nU.S. Department of Justice                                                           5\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cpoint of information collection, information dissemination, and response\nplanning.\n\n      DOJCERT Incident Response Plan. DOJCERT is the organization to\nwhich all Department components are required to report computer\nsecurity incidents, including data loss incidents. DOJCERT developed\nan Incident Response Plan template in December 2003 that established a\nDepartment-wide standardized approach for handling and reporting\ncomputer security incidents and that provided detailed incident response\nprocedures within each component. DOJCERT periodically updates the\ntemplate to reflect new statutory or OMB requirements or emerging\ncomputer security threats.\n\n      As explained earlier, DOJCERT revised its Incident Response Plan\ntemplate in November 2006 to require for the first time that the\ncomponents add language that identifies the loss of PII as a distinct type\nof reportable incident, and that defines the category and timeframe\n(1 hour) that should be used to report these data loss incidents.\n\n      The Incident Response Plan identifies seven categories of computer\nsecurity incidents, such as Unauthorized Access and Improper Usage,\nthat all Department components are required to report to DOJCERT, and\nincludes reporting timeframes for each category.26 The DOJCERT\nIncident Response Plan also provides:\n\n       \xe2\x80\xa2   Requirements for incident response handling,\n       \xe2\x80\xa2   Agency objectives for incident response handling,\n       \xe2\x80\xa2   Organizational structure for incident response handling,\n       \xe2\x80\xa2   Roles and responsibilities for key elements and personnel,\n       \xe2\x80\xa2   Preparation and training guidelines,\n       \xe2\x80\xa2   Policy and procedures for handling incidents, and\n       \xe2\x80\xa2   Incident reporting procedures for all Sensitive But Unclassified\n           and classified incidents.\n\n       Each Department component is required to develop its own\nIncident Response Plan that is aligned with the requirements and goals\nof the DOJCERT Incident Response Plan. In addition, each component\nmust conduct an exercise of that plan at least annually.27 DOJCERT\n\n       26 See Appendix XII for a description of the seven categories and the associated\n\ntimeframes. An additional category is used for training exercises only.\n\n       27 The IT Security Standard Incident Response Control Family, November 2006,\n\nwritten by DOJCERT, describes the Department\xe2\x80\x99s overall policy for incident response.\n                                                                               (Cont\xe2\x80\x99d.)\n\nU.S. Department of Justice                                                            6\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0creviews each component\xe2\x80\x99s plan annually for compliance with the\nDOJCERT Incident Response Plan template.\n\n      DOJCERT has also instituted regular monthly reporting\nrequirements (in addition to the required reporting of security incidents\nas they occur) to collect additional details on incidents in two of the\nreporting categories and to promote component familiarity with the\nDOJCERT process and staff.28 The DOJCERT template is a technical\ndocument for component IT staff and is not distributed to all employees.\n\n      DOJCERT\xe2\x80\x99s Archer Database. To manage and track the reporting\nprocess, DOJCERT maintains an Incident Response and Vulnerability\nPatch Database (commonly called the Archer Database, after the vendor\nthat developed it) where incidents are recorded and monitored. Using the\nArcher Database, reports can be generated on all Sensitive But\nUnclassified incidents. All the components we reviewed have online\naccess to this database.29 Each component can choose whether to\ncomplete the online Incident Report Form, e-mail or fax the completed\nform to DOJCERT, or telephone DOJCERT with the specifics of the\nincident. Department components with access to the Archer Database\nare able to use it for their own internal tracking purposes as well.\n\n       DOJCERT\xe2\x80\x99s Educational and Technical Support. DOJCERT also\nprovides information resources, technical support, coordination\nactivities, and educational support to the Department on incident\nresponse. Furthermore, DOJCERT tracks the implementation of critical\npatches on IT systems and applications. As part of its educational\n\nThe policy requires that each component develop and implement a formal written\nincident response policy, provide annual training to incident response personnel, test\nits incident response plan at least annually, develop a capability for responding to and\nrecovering from incidents that have occurred, track and document incidents, report\nincidents promptly, and provide assistance to users who need to report security\nincidents.\n\n       28 The two categories are Spam and Scans/Probes/Attempted Access. Scans,\nprobes, and attempted access include \xe2\x80\x9cany activity that seeks to access or identify a\nDepartment computer, open ports, protocols, service, or any combination for later\nexploit. This activity does not directly result in a compromise or denial of service.\xe2\x80\x9d See\nAppendix XII.\n\n       29   The United States Marshals Service (USMS) informed us that only one person\nhad been trained to use the Archer Database and that this individual had been on\nextended sick leave. Due to work schedules and recent staff vacancies in the security\noffice, the USMS has been unable to train any other staff to access the Archer\nDatabase. Therefore, the USMS reports new incidents to DOJCERT via telephone\ninstead of through the Archer Database.\n\n\nU.S. Department of Justice                                                                 7\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0csupport responsibilities, DOJCERT provides annual training to all\ncomponent IT security staff to meet the FISMA requirements for Incident\nResponse and IT Contingency Plan training and testing.30 Since 2002\nDOJCERT has developed and distributed online, to component CIOs and\ntheir staff, a quarterly newsletter that provides the Department with\nsecurity awareness information, security tips, training information, and\nupdates to DOJCERT operations.\n\n       DOJCERT Reporting Responsibilities. DOJCERT reports all of the\nDepartment\xe2\x80\x99s computer security incidents, except spam, to the\nDepartment of Homeland Security\xe2\x80\x99s United States Computer Emergency\nReadiness Team (US-CERT). US-CERT is a partnership between the\nDepartment of Homeland Security and the public and private sectors\nthat was established in 2003 to protect the nation\xe2\x80\x99s Internet\ninfrastructure. US-CERT also coordinates defenses against and\nresponses to cyber attacks across the nation.31 It is responsible for\nanalyzing and reducing cyber threats and vulnerabilities, disseminating\ncyber threat warning information, and coordinating incident response\nactivities.\n\n       Additionally, DOJCERT is responsible for reporting all actual or\npotential data loss incidents to appropriate components in the\nDepartment. If the incident involves PII, it is reported to the\nDepartment\xe2\x80\x99s Privacy and Civil Liberties Office in the Office of the Deputy\nAttorney General. If there is evidence that a crime has occurred \xe2\x80\x93 for\nexample, computer crimes, child pornography, e-mail threats, successful\nmalicious activity directed towards the Department, or financial fraud \xe2\x80\x93\nthen these incidents are reported to the Federal Bureau of Investigation\n(FBI), the U.S. Secret Service, the Criminal Division, the Office of the\nInspector General (OIG), or other appropriate agencies. Additionally,\nDOJCERT reports any information that could be relevant to terrorism\ninvestigations to the FBI and the U.S. Secret Service.\n\nReporting Classified Incidents\n\n     Classified incident reporting in the Department is governed by the\nDepartment\xe2\x80\x99s Security Program Operating Manual (SPOM).32 Classified\n\n         30   FISMA established the responsibilities of agencies to assess their security\nrisks.\n\n      31 Department of Homeland Security website, www.us-cert.gov/aboutus.html,\n\nFebruary 28, 2007.\n\n         32   DOJ Security Program Operating Manual, May 2005.\n\n\nU.S. Department of Justice                                                                  8\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ccomputer security incidents are to be reported by the components\xe2\x80\x99\nSecurity Programs Manager to the Department Security Officer, who is\nthe Director of the Security and Emergency Planning Staff (SEPS).33\nSEPS maintains a separate database to track these reports. The SPOM\ndefines nine categories of classified security incidents that are to be\nreported, including:\n\n       Any incident involving a possible loss, compromise, or suspected\n       compromise of classified information, foreign or domestic, and . . . Any\n       event involving [IT] systems, equipment or media which may result in\n       disclosure of classified information to unauthorized individuals, or that\n       results in unauthorized modification or destruction of system data, loss\n       of computer system processing capability, or loss or theft of computer\n       system media.34\n\nThe SPOM also requires components to report all IT-related classified\nincidents to DOJCERT in addition to notifying the Department Security\nOfficer. DOJCERT notifies SEPS of all data loss incidents, including\nclassified data losses, via e-mail. DOJCERT, in its Incident Response\nPlan template, requests that components, if possible, sanitize and\ndeclassify the incident report and then report it through normal channels\nto DOJCERT.\n\n\n\n\n       33 The Department Security Officer reports to the Deputy Assistant Attorney\nGeneral for Human Resources, who reports to the Assistant Attorney General for\nAdministration. The Assistant Attorney General for Administration is the head of the\nJustice Management Division.\n\n       34   DOJ Security Program Operating Manual, \xc2\xa7 1-302(a) and (e).\n\n\nU.S. Department of Justice                                                             9\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c    PURPOSE, SCOPE, AND METHODOLOGY OF THE OIG REVIEW\n\n\nPurpose\n\n       The purpose of this review was to provide an overview of the\npolicies and procedures that Department components are required to\nfollow to respond to and report computer security incidents.\n\nScope\n\n       This review examined nine of the Department\xe2\x80\x99s components:\n\n       \xe2\x80\xa2   Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF);\n       \xe2\x80\xa2   Federal Bureau of Prisons (BOP);\n       \xe2\x80\xa2   Criminal Division;\n       \xe2\x80\xa2   Drug Enforcement Administration (DEA);\n       \xe2\x80\xa2   Executive Office for United States Attorneys (EOUSA);\n       \xe2\x80\xa2   Federal Bureau of Investigation (FBI);\n       \xe2\x80\xa2   Justice Management Division (JMD);\n       \xe2\x80\xa2   Tax Division; and\n       \xe2\x80\xa2   United States Marshals Service (USMS).\n\n        These 9 components accounted for 69 percent of the total number\nof all computer security incidents reported to DOJCERT between\nDecember 2005 and November 2006. According to the 9 components,\ntaken together they have 229 databases that contain PII. These\ndatabases contain personal information from or about the public and\ntherefore present a potentially serious risk to the public if this sensitive\ndata is lost.\n\n       We identified each component\xe2\x80\x99s reporting procedures for the\nfollowing situations:\n\n       \xe2\x80\xa2   Losses of electronic devices, including hardware such as laptops\n           and BlackBerry devices that potentially could contain sensitive\n           information; and\n       \xe2\x80\xa2   Compromises of sensitive information, including PII and\n           classified information, through unauthorized access to\n           computer systems or data.\n\n\n\n\nU.S. Department of Justice                                                10\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       We also determined:\n\n       \xe2\x80\xa2   Whether the components had procedures to identify the\n           information that was lost,\n       \xe2\x80\xa2   Whether the components had procedures to notify the affected\n           parties, and\n       \xe2\x80\xa2   Whether the components had procedures for reporting\n           computer security incidents outside normal business hours.\n\n       However, the review did not:\n\n       \xe2\x80\xa2   Examine Department or component procedures for tracking,\n           protecting, or controlling sensitive information or PII prior to the\n           reported occurrences;\n       \xe2\x80\xa2   Examine Department or component procedures for tracking,\n           protecting, or controlling removable electronic media, including\n           disks, CD-ROMs, and flash drives;\n       \xe2\x80\xa2   Verify components\xe2\x80\x99 compliance with reporting procedures by\n           means of a case file review;\n       \xe2\x80\xa2   Verify that all computer security incidents are reported; or\n       \xe2\x80\xa2   Verify the accuracy of the data contained in the Archer\n           Database.\n\nMethodology\n\n      The methodology used in this review consisted of interviews with\n40 staff, document review and analysis, and data analysis.\n\n       Interviews. To determine the computer security incident reporting\nprocedures followed by each of the components, we interviewed officials\nfrom all nine components, including the headquarters-based individuals\nwith primary responsibility for contacting DOJCERT on behalf of the\ncomponent. For those components with field offices, we interviewed a\nfield office official with computer security incident reporting\nresponsibilities. We also interviewed officials from the Office of the CIO,\nthe Security and Emergency Planning Staff (SEPS), and the Office of the\nDeputy Attorney General to discuss Department-wide standards for\ncomputer security incident reporting and Department-wide issues\nconcerning privacy.\n\n\n\n\nU.S. Department of Justice                                                  11\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c  Department\n  Component                                 Officials Interviewed\n                  \xe2\x80\xa2   Chief, Product Assurance Branch\n                  \xe2\x80\xa2   Information Systems Security Officer\n                  \xe2\x80\xa2   Project Manager, Information Systems Security Office\n      ATF\n                  \xe2\x80\xa2   Special Agent in Charge, Investigations Division\n                  \xe2\x80\xa2   Assistant Special Agent in Charge, Investigations Division\n                  \xe2\x80\xa2   Assistant Special Agent in Charge, Miami Field Division\n                  \xe2\x80\xa2   Chief, IT Planning and Development\n                  \xe2\x80\xa2   Chief, Information Security\n                  \xe2\x80\xa2   Information Technology Security Administrator\n      BOP         \xe2\x80\xa2   Program Analyst, Information Security Programs Section\n                  \xe2\x80\xa2   Supervisory Management Analyst, Internal Affairs Division\n                  \xe2\x80\xa2   Computer Services Manager, Allenwood Federal Correctional\n                      Complex\n    Criminal      \xe2\x80\xa2   Director, Information Technology Management\n    Division      \xe2\x80\xa2   Information Systems Security Officer\n                  \xe2\x80\xa2   Chief, Information Security\n                  \xe2\x80\xa2   Deputy Chief Information Officer\n      DEA         \xe2\x80\xa2   Deputy Chief Counsel\n                  \xe2\x80\xa2   Security Programs Manager\n                  \xe2\x80\xa2   Assistant Special Agent in Charge, Houston Field Division\n                  \xe2\x80\xa2   Information Systems Security Officer\n                  \xe2\x80\xa2   Senior Security Programs Specialist\n    EOUSA\n                  \xe2\x80\xa2   District Office Security Manager, Southern District of New York\n                  \xe2\x80\xa2   Executive Assistant U.S. Attorney, Central District of California\n                  \xe2\x80\xa2   Unit Chief, Assurance Management Unit\n                  \xe2\x80\xa2   Unit Chief, Security Compliance Unit\n      FBI         \xe2\x80\xa2   Unit Chief, Enterprise Security Operations Center\n                  \xe2\x80\xa2   Unit Chief, Major Theft Unit\n                  \xe2\x80\xa2   Assistant Special Agent in Charge, New York Field Division\n                  \xe2\x80\xa2   Chief Information Security Officer, Office of the CIO\n                  \xe2\x80\xa2   Deputy Director for Information Technology Security, Office of the\n                      CIO\n                  \xe2\x80\xa2   DOJCERT Project Manager, Office of the CIO\n      JMD\n                  \xe2\x80\xa2   Assistant Director for Information Safeguards and Security\n                      Oversight, SEPS\n                  \xe2\x80\xa2   Security Specialist, SEPS\n                  \xe2\x80\xa2   Information Systems Security Officer, Personnel Staff\n                  \xe2\x80\xa2   Executive Officer\n  Tax Division    \xe2\x80\xa2   Associate Executive Officer\n                  \xe2\x80\xa2   Information Technology Specialist\n                  \xe2\x80\xa2   Chief, Enterprise Management\n     USMS\n                  \xe2\x80\xa2   Chief Deputy U.S. Marshal, District of Colorado\n  Office of the   \xe2\x80\xa2   Chief Privacy and Civil Liberties Officer\nDeputy Attorney\n    General\n\n\n\n\nU.S. Department of Justice                                                          12\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c        Document Review and Analysis. We reviewed federal, Department,\nand component procedures and policies regarding computer security\nincident reporting. These included various federal statutes,\nmemorandums issued by OMB, US-CERT\xe2\x80\x99s Concept of Operations,\nDepartment Orders, memorandums issued by the Deputy Attorney\nGeneral, memorandums issued by the Department\xe2\x80\x99s CIO, the DOJCERT\nIncident Response Plan Template, the Department\xe2\x80\x99s IT Security Standard\non Incident Response, documents detailing the Department\xe2\x80\x99s compliance\nwith FISMA, the components\xe2\x80\x99 Incident Response Plans, and the\ncomponents\xe2\x80\x99 IT security policies. See Appendices X and XI for a complete\nlist of the acts, directives, standards, and component policies we\nreviewed.\n\n      Data Analysis. DOJCERT maintains a database titled the\nDOJCERT Incident Response and Vulnerability Patch Database, also\nknown as the Archer Database, for tracking all computer security\nincidents, including data loss incidents. We downloaded data from this\ndatabase to identify all computer security incidents reported by the nine\ncomponents that occurred in the 12-month period of December 1, 2005,\nthrough November 30, 2006. Within each incident category defined in\nthe DOJCERT Incident Response Plan, we analyzed compliance with\nreporting timeframes.\n\n       We also conducted an analysis of this data to determine the\nnumber of incidents reported by each component that involved actual or\npotential loss of PII or classified information. We determined that an\nincident involved actual or potential loss of PII if the database showed\nthat the components answered \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cUnknown,\xe2\x80\x9d respectively, when\nasked if an incident involved personal data loss. We determined that an\nincident potentially involved classified information based on the incident\ndescription provided in the database. We did not verify this data with\neither DOJCERT or the components\xe2\x80\x99 internal records.\n\n      In addition, we analyzed the components\xe2\x80\x99 compliance with the\nJuly 12, 2006, OMB memorandum requiring all federal agencies to\nreport actual or potential losses of PII within 1 hour.\n\n\n\n\nU.S. Department of Justice                                              13\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                          RESULTS OF THE REVIEW\n\n\n      The Department has developed a computer security Incident\nResponse Plan that provides standard reporting procedures that all\nDepartment components are required to follow. In December 2003, at\nthe direction of the Chief Information Security Officer, DOJCERT\ndeveloped an Incident Response Plan template to standardize procedures\nDepartment-wide for responding to and handling computer security\nincidents. Each of the nine Department components we reviewed has\ndeveloped an Incident Response Plan that conforms to the DOJCERT\ntemplate. The following is a summary discussion of:\n\n       \xe2\x80\xa2   Reporting procedures that the nine components have\n           established for reporting and responding to computer security\n           incidents;\n\n       \xe2\x80\xa2   Determining the type of data lost; and\n\n       \xe2\x80\xa2   Defining sensitive information, PII, and reportable loss.\n\nIn addition, we identify best practices, recent developments, and future\nplans. Detailed discussions of the above areas for each component are\nincluded in Appendices I through IX.\n\nReporting and Responding to Computer Security Incidents\n\nWritten Procedures\n\n      All of the nine components the OIG reviewed have official written\nprocedures for their employees to follow when reporting computer\nsecurity incidents. All nine components have developed their own\ncomponent-specific Incident Response Plans that follow the DOJCERT\nIncident Response Plan template. The Incident Response Plans are the\nprimary written guidance for the components\xe2\x80\x99 IT staff response to and\nreporting of computer security incidents involving sensitive information,\nincluding PII, to DOJCERT.\n\n      DOJCERT updates the Incident Response Plan template as needed,\nbut at least annually, to reflect new statutory or OMB requirements or\nemerging computer security threats. In November 2006, DOJCERT\nrevised its Incident Response Plan template to require for the first time\nthat the components add language that identifies loss of PII as a distinct\n\n\n\nU.S. Department of Justice                                              14\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ctype of reportable incident and that defines the category and timeframe\n(1 hour) for reporting these data loss incidents.\n\n      As of April 2007, seven of the nine components we reviewed had\nupdated Incident Response Plans that conformed to the November 2006\nDOJCERT template revision: the BOP, the Criminal Division, the DEA,\nEOUSA, the FBI, JMD, and the Tax Division. The remaining two\ncomponents, ATF and the USMS, had not yet submitted their revised\nIncident Response Plans to DOJCERT for approval.\n\n       The DOJCERT template provides instructions for reporting\ncomputer security incidents to DOJCERT, but it does not dictate the\ninternal reporting requirements within each component. Therefore, to\nsupplement the DOJCERT template, each component has developed\nadditional policies, memorandums, or practices for its employees that\nprovide more detailed reporting and incident response procedures. These\nsupplemental policies provide further tools to help components respond\nto computer security incidents or identify when data loss may have\noccurred. For example, components have policies that tell their\nemployees how to identify reportable computer security incidents and\nhow to contact internal IT staff to report such incidents. While all nine\ncomponents reviewed have multiple policies, two of the components have\npolicies that provide contradictory or faulty chain-of-command reporting\nprocedures. ATF staff has received contradictory instructions on which\noffice is the primary point of contact for reporting computer security\nincidents. The USMS policy instructs employees to report computer\nsecurity incidents to staff titles and internal departments that either no\nlonger exist or are inaccurate. Appendix XI identifies the policies that\neach component developed and relies on for guidance related to\ncomputer security incidents.\n\n       Four of the nine components have developed separate procedures\nfor staff to follow if an incident is reported after normal business hours.\nOne component\xe2\x80\x99s procedures were the same 24 hours a day. The\nremaining four components have no specific written procedures covering\nsuch incidents.35 We found that at least 19 percent of the incidents\nreported between December 2005 and November 2006 occurred after\nhours (6:00 p.m. to 6:00 a.m.).\n\n     Between December 1, 2005, and November 30, 2006, the 9\ncomponents the OIG reviewed reported 1,501 computer security\n\n       35 Two of these components have developed draft procedures but, as of April\n\n2007, those procedures had not yet been issued.\n\n\nU.S. Department of Justice                                                           15\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cincidents to DOJCERT. During this same period, all 40 Department\ncomponents reported 2,162 incidents. (See Table 1 for the number of\nincidents reported by each of the nine components reviewed.)\n\n                          Table 1: Total Computer Security\n                              Incidents, by Component\n                      Component                   Incidents\n                      ATF                                   70\n                      BOP                                  252\n                      Criminal Division                     24\n                      DEA                                   43\n                      EOUSA                                463\n                      FBI                                  206\n                      JMD                                  402\n                      Tax Division                          22\n                      USMS                                  15\n                      DOJCERT                                4\n                      Total                             1,501\n                      Source: Archer Database\n\n       Of the 1,501 incidents reported by the 9 components in this\nreview, 19 incidents involved the actual loss of PII and an additional 228\nincidents involved the potential loss of PII. The number of PII incidents\ncould be underreported because until July 2006 there was no\nrequirement to identify and report whether incidents involved the loss of\nPII.36 Prior to July 2006, the components\xe2\x80\x99 internal records may have\nindicated whether incidents involved the loss of PII, but the components\nwere not required to report this detail to DOJCERT. According to the\nArcher Database, 5 actual losses of PII and 43 potential losses of PII were\nreported during the 8 months between the December 1, 2005, start of\nour review period and July 12, 2006, when the reporting requirement\nwent into effect.\n\n      The 1,501 incidents also included 57 incidents involving classified\ninformation.37 The remaining 1,215 incidents involved spam, computer\nviruses, or other types of incidents that did not involve either PII or\n\n\n       36  OMB Memorandum M-06-19 for Chief Information Officers, Reporting\nIncidents Involving Personally Identifiable Information and Incorporating the Cost for\nSecurity in Agency Information Technology Investments, Karen S. Evans, July 12, 2006.\n\n        37 One of the incidents involving the actual loss of PII also involved classified\n\ninformation. Seventeen of the incidents involving the potential loss of PII also involved\nclassified information.\n\n\nU.S. Department of Justice                                                             16\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cclassified information. Table 2 gives the breakdown of the types of\nincidents reported by the nine components.\n\n              Table 2: Types of Incidents Reported by Nine Components\n                                             Incidents      Incidents\n                                             involving      involving\n                       Total     Incidents   classified    both PII and    All other\n                    number of involving     information     classified      types of\n   Component         incidents    PII only      only       information     incidents\nATF                          70           7             0              1           62\nBOP                        252           24             0              0          228\nCriminal Division            24           1             6              4           13\nDEA                          43           6             2              0           35\nEOUSA                      463         140              2              2          319\nFBI                        206           32            24             11          139\nJMD                        402           18             5              0          379\nTax Division                 22           0             0              0           22\nUSMS                         15           0             0              0           15\nDOJCERT                       4           1             0              0             3\nTotal                    1,501         229            39             18         1,215\nSource: Archer Database\n\nCompliance with Reporting Procedures\n\n       IT security staff and other staff with related duties we interviewed\nin all nine components stated that their staff generally followed\nprocedures established for reporting computer security incidents through\ntheir chain of command up to component headquarters. In this review,\nwe did not test to verify those statements. However, in reviewing the\ninformation the FBI provided to us and the information we analyzed from\nthe Archer Database, we noticed a discrepancy between the number of\nlost electronic devices that had been reported within the FBI and the\nnumber of lost electronic devices that the FBI had reported to DOJCERT.\nTherefore, we asked the FBI some additional questions to determine\nwhether they were following their reporting procedures. We found that\nthe FBI was not always following the procedures required in the\nDOJCERT Incident Response Plan template or its own required\nprocedures.\n\n      Within the FBI, computer security incidents are reported to two\nseparate offices, but only one of those offices is required to report\nincidents to DOJCERT. The FBI\xe2\x80\x99s Security Policy Manual requires staff to\nreport computer security incidents to the FBI\xe2\x80\x99s Security Compliance\nUnit. The FBI\xe2\x80\x99s four Incident Response Plans require staff to report\ncomputer security incidents to the FBI\xe2\x80\x99s Enterprise Security Operations\n\n\nU.S. Department of Justice                                                      17\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cCenter.38 Only the Enterprise Security Operations Center reports\ncomputer security incidents to DOJCERT.\n\n       We found that the FBI is not in full compliance with DOJCERT\xe2\x80\x99s\nrequirement that all lost or stolen electronic devices be reported.39 In\nreviewing the information the FBI provided, and in our analysis of\ninformation from the Archer Database, we noticed a discrepancy between\nthe number of lost electronic devices that had been reported to the FBI\xe2\x80\x99s\nSecurity Compliance Unit and the number of lost electronic devices that\nhad been reported to the Enterprise Security Operations Center and to\nDOJCERT. For the period from December 2005 through November 2006,\nFBI employees reported 35 lost or stolen laptops to the Security\nCompliance Unit, but only 7 lost or stolen laptops were reported to the\nEnterprise Security Operations Center.40 The underreporting of incidents\nto the Enterprise Security Operations Center caused an underreporting\nof incidents to DOJCERT and US-CERT. Table 3 below shows the\nnumber of lost or stolen FBI laptops that were reported.\n\n                    Table 3: Number of FBI Laptops Reported Lost\n                      or Stolen between December 1, 2005, and\n                                  November 30, 2006\n                   Reported to the Security Compliance Unit*  35\n                   Reported to the Enterprise Security\n                                                                6\n                   Operations Center*\n                   Reported to DOJCERT via the Enterprise\n                                                                7\n                   Security Operations Center**\n                   * Based on FBI documents.\n                   ** Based on OIG analysis of Archer Database.\n                   Sources: FBI documents and Archer Database\n\n      In addition to not reporting all incidents of lost electronic devices\nto DOJCERT, we found the FBI was underreporting classified computer\nsecurity incidents to both SEPS and DOJCERT. The Department\xe2\x80\x99s\nSecurity Program Operating Manual (SPOM) requires that all 40\n\n       38   All four of the Incident Response Plans conform to the DOJCERT template.\n\n       39 The OIG recently conducted an audit that describes in greater detail the FBI\xe2\x80\x99s\nprocesses for identifying and reporting lost or stolen laptop computers. See OIG, The\nFederal Bureau of Investigation\xe2\x80\x99s Control Over Weapons and Laptop Computers Follow-\nUp Audit, Audit Report 07-18, February 2007.\n\n       40 FBI officials told us that 35 lost or stolen laptops were reported to the\n\nSecurity Compliance Unit. We reviewed data from DOJCERT\xe2\x80\x99s Archer Database and\ndetermined that seven lost or stolen laptops had been reported to the Enterprise\nSecurity Operations Center and to DOJCERT. We did not verify those reports.\n\n\nU.S. Department of Justice                                                             18\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cDepartment components report classified computer security incidents,\nincluding those involving losses of classified information, to SEPS. At\nleast 72 classified computer security incidents that were reported to the\nSecurity Compliance Unit by FBI employees between December 2005 and\nNovember 2006 were not reported to either SEPS or DOJCERT as\nrequired. FBI policy does not require the Security Compliance Unit to\nreport any computer security incident to any entity outside the FBI,\nincluding SEPS. FBI policy only requires the Enterprise Security\nOperations Center to report computer security incidents to DOJCERT.\nFor additional details on FBI compliance with reporting procedures, see\nAppendix VI.\n\nTimeliness of Reporting All Computer Security Incidents\n\n       We found that the components were not always timely in reporting\nall occurrences of computer security incidents, especially those involving\nPII, to DOJCERT. Further, DOJCERT was not always timely in reporting\nall occurrences of computer security incidents, especially those involving\nPII, to US-CERT.\n\n      Timeliness of Components\xe2\x80\x99 Reporting Computer Security Incidents\nOverall. Between December 2005 and November 2006, 66 percent of the\ncomputer security incidents were reported in a timely manner by the\nnine components overall. However, only one of the nine components\nreported nearly all of its computer security incidents within specified\ntimeframes. We analyzed data from DOJCERT\xe2\x80\x99s Archer Database to\ndetermine the amount of time that elapsed between the occurrence of a\npotential or actual computer security incident and the time the incident\nwas reported to DOJCERT. The timeframes are defined in the DOJCERT\nIncident Response Plan template and the components\xe2\x80\x99 Incident Response\nPlans and vary for the seven categories of computer security incidents\nthe plans address.41\n\n      Between December 2005 and November 2006, the Tax Division\nmade timely reports for 95 percent of its reported computer security\nincidents. The other eight components reported between 37 percent and\n84 percent of their security incidents on a timely basis. Table 4 shows\n\n\n\n\n       41 See Appendix XII for a detailed description of each category. An additional\n\ncategory is used for training exercises only.\n\n\n\n\nU.S. Department of Justice                                                              19\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cthe timeliness in reporting to DOJCERT by category of incident for all\ncomponents.42\n\n  Table 4: Nine Components\xe2\x80\x99 Timeliness in Reporting Category 1-7 Incidents to DOJCERT\n                                                Reported      Reported       Could not\n                     Reporting    Incidents       within        after         compute\n                    timeframe*     reported    timeframe     timeframe      timeliness**\nCategory 0\n                        None              29           N/A           N/A              29\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour            100             12            79              9\nAccess)\nCategory 2\n                      2 hours               4             1             3              0\n(Denial of Service)\nCategory 3\n                        1 day            402            143           166             93\n(Malicious Code)\nCategory 4\n                       1 week            264            144            84             36\n(Improper Usage)\nCategory 5\n                      1 month            180            149            15             16\n(Scans/Probes)\nCategory 6\n                        None             241           N/A           N/A             241\n(Investigation)\nCategory 7\n                      1 month            281            233            11             37\n(Spam)\nTotal                                  1,501           682            358           461\n* For purposes of this table, \xe2\x80\x9creporting timeframe\xe2\x80\x9d refers to the timeframes defined in the\ncomponents\xe2\x80\x99 Incident Response Plans.\n** We could not compute timeliness for some incidents because the Archer Database contained\nno information to indicate when DOJCERT received the reports. We also could not compute\ntimeliness for incidents in Categories 0 and 6, which do not have timeframes.\nSource: Archer Database\n\n      Timeliness of Components\xe2\x80\x99 Reporting of PII Incidents. The\n9 components in this review reported 199 potential or actual losses of PII\nto DOJCERT between July 12, 2006, and November 30, 2006. Only\n15 percent of those incidents were reported within 1 hour to DOJCERT,\nand none of the PII incidents were reported to US-CERT within 1 hour of\ndiscovery or detection. Table 5 provides data on the nine components\xe2\x80\x99\ntimeliness in reporting actual and potential PII incidents to DOJCERT.\n\n\n\n\n        42 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                            20\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c     Table 5: Nine Components\xe2\x80\x99 Timeliness in Reporting Actual and Potential\n                            PII Incidents to DOJCERT\n                                       Reported\n                    Incidents          within 1                  Could not\n                 occurring on or         hour      Reported       compute\n   Category      after 07/12/06       (TIMELY)*   after 1 hour  timeliness**\n   ATF                           6              4            2              0\n   BOP                           7              1            6              0\n   CRM                           4              0            4              0\n   DEA                           6              1            5              0\n   EOUSA                       134             19          101            14\n   FBI                          26              0           25              1\n   JMD                          16              2           12              2\n   TAX                           0            N/A          N/A           N/A\n   USMS                          0            N/A          N/A           N/A\n   Total                      199              27          155            17\n   Note 1: Because the Archer Database does not require components to identify\n   the date and time an incident was discovered, we relied on the components\xe2\x80\x99\n   reports of the date and time each incident occurred to conduct our analysis.\n   Note 2: PII incidents were reported in several incident categories.\n   * The 1-hour timeframe for PII incidents is defined in OMB Memorandum\n   M-06-19.\n   ** We could not compute timeliness for some incidents because the Archer\n   Database contained no information to indicate when DOJCERT received the\n   reports.\n   Source: Archer Database\n\n      Although OMB requires that all potential or actual losses of PII be\nreported within 1 hour to US-CERT, the median time for the nine\ncomponents to report such incidents to DOJCERT was slightly over\n12 hours.43 Chart 2 shows the components\xe2\x80\x99 timeliness in reporting PII\nincidents to DOJCERT within the first 24 hours after occurrence. The\ncomponents reported 66 PII incidents (36 percent) to DOJCERT more\nthan 24 hours after occurrence.\n\n\n\n\n        43 The median refers to the middle number of a group of numbers; that is, half\n\nthe numbers have values that are greater than the median, and half the numbers have\nvalues that are less than the median. For example, the median of 2, 3, 3, 4, 5, 7, and\n10 is 4.\n\n\nU.S. Department of Justice                                                          21\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c              Chart 2: Components\xe2\x80\x99 Timeliness in Reporting PII Incidents to\n                  DOJCERT Within the First 24 Hours After Occurrence\n\n                                 30\n\n\n\n\n                                 25\n  Number of Incidents Reported\n\n\n\n\n                                 20\n\n\n\n\n                                 15\n\n\n\n\n                                 10\n\n\n\n\n                                 5\n\n\n\n\n                                 0\n                                      0      3        6       9        12       15       18      21   24\n                                             Number of Hours Between Incident and Report to DOJCERT\n                                  Source: Archer Database\n\n       When discussing their timeliness in reporting PII incidents, the\nnine components\xe2\x80\x99 staff told us there was a lack of clarity as to when the\n1-hour reporting timeframe begins and ends. OMB\xe2\x80\x99s July 12, 2006,\nmemorandum requires federal agencies to report computer security\nincidents to US-CERT within 1 hour of discovery. However, the\nDepartment\xe2\x80\x99s November 2006 revision of its Incident Response Plan\ntemplate requires that PII incidents be reported by the components\nwithin 1 hour of discovery or detection to DOJCERT. By allowing 1 hour\nfor reporting to DOJCERT, the incident response plan appears to conflict\nwith the OMB directive that incidents be reported to US-CERT within 1\nhour of discovery or detection.\n\n       Component staff told us that component employees interpret the\nOMB requirement to mean that they have 1 hour to report incidents to\ntheir component\xe2\x80\x99s IT staffs. We found the components\xe2\x80\x99 IT staffs interpret\nthe OMB requirement to mean that they have 1 hour to report incidents\n\nU.S. Department of Justice                                                                             22\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cto DOJCERT. DOJCERT interprets the OMB requirement to mean that it\nhas 1 hour from the time it is notified of an incident to report that\nincident to US-CERT. Therefore, the components may need further\nclarification from the Department on when the 1-hour window for\nreporting PII incidents begins and ends, and who must receive the report\nwithin 1 hour of discovery or detection \xe2\x80\x93 component IT staff, DOJCERT,\nor US-CERT. Officials from three components remarked that the 1-hour\ntimeframe was impractical and unrealistic.\n\n      For our analysis, we assessed the amount of time that that elapsed\nbetween an incident\xe2\x80\x99s occurrence and when the component reported the\nincident to DOJCERT. For those incidents that were reported within\n1 hour to DOJCERT, we determined if they were also reported to\nUS-CERT within the same 1-hour period. We also assessed the amount\nof time that elapsed between when DOJCERT received notice of an\nincident and when DOJCERT reported that incident to US-CERT.\n\n       Because the 1-hour requirement is relatively recent, we also\nexamined whether the components\xe2\x80\x99 timeliness in reporting PII incidents\nto DOJCERT was improving. To examine this, we compared incidents\nthat occurred between July 12, 2006, and September 20, 2006, with\nincidents that occurred between September 21, 2006, and\nNovember 30, 2006.44 We found that the components\xe2\x80\x99 reporting data\nsuggests that their performance improved over time. Only 5 of the 76\npotential or actual losses of PII that occurred between July 12, 2006, and\nSeptember 20, 2006 (7 percent) were reported to DOJCERT within 1 hour\nof the incidents\xe2\x80\x99 occurrence.45 However, between September 21, 2006,\nand November 30, 2006, 22 of the 106 potential or actual losses of PII\n(21 percent) were reported to DOJCERT within 1 hour of the incidents\xe2\x80\x99\noccurrence.46 (See Chart 3.)\n\n\n\n\n       44We chose September 20, 2006, as the cutoff date because it is halfway\nbetween July 12, 2006, and November 30, 2006.\n\n       45 We could not analyze 10 incidents for timeliness because there was no\n\ninformation in the Archer Database to indicate when DOJCERT received the reports.\n\n       46 We could not analyze seven incidents for timeliness because there was no\n\ninformation in the Archer Database to indicate when DOJCERT received the reports.\n\n\nU.S. Department of Justice                                                           23\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cChart 3: Timeliness of Reporting PII Incidents Improved Over Time\n\n\n\n      Date Incident Occurred   7/12/06 -\n                                                7%\n                                9/20/06\n\n\n\n                               9/21/06 -\n                                                       21%\n                               11/30/06\n\n\n                                           0%        20%      40%       60%      80%   100%\n                                                             Percentage Timely\n\n         Source: Archer Database\n\n       Timeliness of DOJCERT\xe2\x80\x99s Reporting of PII Incidents. Between\nDecember 2005 and November 2006, DOJCERT reported 61 percent of\ncomputer security incidents to US-CERT in a timely manner. However,\nour analysis also showed that DOJCERT reported only 12 percent of the\npotential or actual losses of PII to US-CERT within 1 hour of being\nnotified by the components of the incidents.47 DOJCERT reported\n88 percent of the potential or actual losses of PII to US-CERT more than\nan hour after being notified by the components.48 See Table 6 for data on\nDOJCERT\xe2\x80\x99s timeliness in reporting PII incidents to US-CERT.\n\n\n\n\n          For the 199 potential or actual losses of PII, we compared the date and time\n         47\n\nthe incident was reported to DOJCERT with the date and time the incident was reported\nto US-CERT, to determine how well DOJCERT was meeting the 1-hour timeframe. We\ncould not analyze 64 of the incidents for timeliness because there was no information in\nthe Archer Database to indicate when the report was submitted to US-CERT.\n\n        48 DOJCERT staff report incidents to US-CERT by completing a web-based\n\nform. DOJCERT staff also print a copy of each completed form and maintain the paper\ncopies in their records. The date and time the form was printed appears automatically\nat the bottom of the page. DOJCERT staff type this information into the Archer\nDatabase for tracking purposes.\n\n\nU.S. Department of Justice                                                                    24\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      Table 6: DOJCERT\xe2\x80\x99s Timeliness in Reporting PII Incidents to US-CERT\n          Incidents occurring on or    Reported      Reported       Could not\n          after 07/12/06 (reported  within 1 hour      after 1       compute\n            by nine components)       (TIMELY)*         hour       timeliness**\nTotal                           199            16            119              64\n* The 1-hour timeframe for PII incidents is defined in OMB Memorandum M-06-19.\n** We could not compute timeliness for the 64 incidents because the Archer Database\ncontained no information to indicate when the report was submitted to US-CERT.\nSource: Archer Database\n\n       The median time taken by DOJCERT to report potential or actual\nlosses of PII to US-CERT was slightly under 24 hours, with 67 of the\nincidents being reported more than 24 hours after the components\nnotified DOJCERT that they had occurred. Chart 4 shows DOJCERT\xe2\x80\x99s\ntimeliness in reporting PII incidents to US-CERT within the first 24 hours\nafter receiving notice that the incident had occurred.\n\n       Chart 4: DOJCERT\xe2\x80\x99s Timeliness in Reporting PII Incidents to\n        US-CERT Within the First 24 Hours After Receiving Notice\n\n                                   20\n    Number of Incidents Reported\n\n\n\n\n                                   15\n\n\n\n\n                                   10\n\n\n\n\n                                    5\n\n\n\n\n                                    0\n                                        0       3        6        9       12      15       18       21      24\n                                            Number of Hours Between Report to DOJCERT and Report to US-CERT\n                                   Source: Archer Database\n\n\n\n\nU.S. Department of Justice                                                                                       25\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cEnsuring that All Incidents Are Reported\n\n      The nine components stated that they cannot ensure that all\nincidents are reported, but they identified training as their primary\nmethod for ensuring that employees are aware of the requirement to\nreport data loss incidents, including those involving PII. This training\nincludes:\n\n       \xe2\x80\xa2    Computer Security Awareness Training \xe2\x80\x93 Seven of nine\n            components identified the Department\xe2\x80\x99s annual Computer\n            Security Awareness Training as a way to ensure that all\n            employees are aware of the reporting requirements.49 This\n            training consists of a 1-hour online PowerPoint presentation.\n            The fiscal year 2007 Computer Security Awareness Training\n            included, for the first time, a section on data loss reporting\n            procedures, including PII. Additionally, the training defines\n            computer security incidents, reviews the protection of systems\n            information, and explains the consequences of lost or breached\n            sensitive information.\n\n       \xe2\x80\xa2    Standards of Conduct and IT Rules of Behavior \xe2\x80\x93 Two\n            components use the Department\xe2\x80\x99s Standards of Conduct, and\n            seven components use their own IT Rules of Behavior as other\n            forms of training to inform all employees of their responsibilities\n            related to computer use, including reporting all computer\n            security incidents or vulnerabilities (as well as losses of\n            sensitive information), accountability for and confidentiality of\n            federally owned information, and reporting any loss or damage\n            to laptops or BlackBerry devices.50 All of those components\xe2\x80\x99\n            employees must read and sign the IT Rules of Behavior.\n\n       Two components use additional methods to make employees aware\nof the requirement to report data loss incidents:\n\n       \xe2\x80\xa2    The Criminal Division displays security tips on computer\n            monitors after employees have entered their passwords and are\n            waiting for the computers to connect to the division\xe2\x80\x99s network.\n\n\n       49The seven components were ATF, the Criminal Division, the DEA, the FBI,\nJMD, the Tax Division, and the USMS.\n\n      50 The two components that identified Standards of Conduct were ATF and the\n\nDEA. The seven components that identified IT Rules of Behavior were ATF, the\nCriminal Division, the DEA, the FBI, JMD, the Tax Division, and the USMS.\n\n\nU.S. Department of Justice                                                         26\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       \xe2\x80\xa2   The Tax Division posts the reporting requirements for data loss\n           prominently on its intranet to make them readily accessible to\n           employees.\n\nNotification to Affected Parties\n\n       The Department does not have a policy to notify affected parties of\na loss of PII. According to recent Government Accountability Office\ntestimony, \xe2\x80\x9c. . . existing laws do not require agencies to notify the public\nwhen data breaches occur . . . .\xe2\x80\x9d51 However, the Department\xe2\x80\x99s Privacy\nand Civil Liberties Office is circulating a draft Department-wide\nnotification policy.\n\n       None of the nine components we reviewed had a written policy for\nnotification. Four of the components reviewed offered suggestions for\nwhat the component might do if a loss of PII occurred, and three stated\nthat the Department or OMB should develop a Department-wide\nnotification policy so that responses would be standardized and\nconsistent.\n\nDetermining the Type of Data Lost\n\n       All nine components informed us that when a computer security\nincident is discovered, the employee who reported the data loss is\ninterviewed to determine what sensitive information the lost device or\nremovable storage media may have contained. For most components,\nthis consists of informal questioning in an attempt to assist the employee\nin reconstructing what occurred and to identify the information that the\ndevice contained. DOJCERT\xe2\x80\x99s Incident Response Plan template and the\ncomponents\xe2\x80\x99 Incident Response Plans contain a section that provides\ngeneral guidelines on how to respond to incidents. Three components \xe2\x80\x93\nATF, the FBI, and the USMS \xe2\x80\x93 have developed a questionnaire for use\nwhen interviewing the employee to identify the contents of the lost or\ncompromised sensitive information.\n\n      ATF, the Criminal Division, the DEA, the FBI, and the USMS\nreported that they use computer forensic techniques in certain situations\nto supplement the employee\xe2\x80\x99s account of what information or files were\n\n       51 Testimony of David M. Walker, Comptroller General, Government\n\nAccountability Office, Privacy: Preventing and Responding to Improper Disclosures of\nPersonal Information (GAO-06-833T), before the House Committee on Government\nReform, June 8, 2006.\n\n\nU.S. Department of Justice                                                             27\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cstored or accessed by the employee. For example, the Criminal Division\nand the DEA reported that for incidents involving a lost BlackBerry\ndevice, the BlackBerry Exchange Server allows them to identify the\ne-mails that were received and sent the last time the device was used.\nAll components can send a \xe2\x80\x9ckill signal\xe2\x80\x9d to a BlackBerry device once its\nloss is known, rendering it useless and the information on it\ninaccessible.\n\nDefining Sensitive Information, PII, and Reportable Data Loss\n\n      The Department has developed a standard definition for sensitive\ninformation but has not developed its own definitions for PII and what\nconstitutes a reportable data loss. The Department\xe2\x80\x99s definition for\nsensitive information in its Security Program Operating Manual (SPOM),\nwhich is distributed to the components\xe2\x80\x99 Security Programs Managers, is:\n\n       Any information, the loss, misuse, modification of, or unauthorized\n       access to, could affect the national interest, law enforcement activities,\n       the conduct of Federal programs, or the privacy to which individuals are\n       entitled under Section 552a of Title 5, U.S. Code, but that has not been\n       specifically authorized under criteria established by an executive order or\n       an act of Congress to be kept classified in the interest of national defense\n       or foreign policy.52\n\n       However, officials in seven of the nine components we reviewed\nstated that basically all of their information is sensitive. One component\nofficial stated, \xe2\x80\x9cWe\xe2\x80\x99ve lowered it [the definition of sensitive information] to\na point where nearly everything is sensitive and that\xe2\x80\x99s a problem.\xe2\x80\x9d\n\n       The Department has not issued its own definition of PII but instead\nrelies on the definition set forth in OMB Memorandum M-06-19:\n\n       [A]ny information about an individual maintained by an agency,\n       including, but not limited to, education, financial transactions, medical\n       history, and criminal or employment history and information which can\n       be used to distinguish or trace an individual\xe2\x80\x99s identity, such as their\n       name, social security number, date and place of birth, mother\xe2\x80\x99s maiden\n       name, biometric records, etc., including any other personal information\n       which is linked or linkable to an individual.\n\n      Two components stated that this definition may lead components\nto over designate information as PII because the OMB definition is too\nbroad and overly vague. One component official stated that even his\ngovernment e-mail address was considered PII. Another component\n\n       52   DOJ Security Programs Operations Manual, May 2005, p. A-7.\n\n\nU.S. Department of Justice                                                            28\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cofficial voiced concern that the terms PII and sensitive are now\ninterchangeable. Most of the components expressed the opinion that the\nDepartment needs to develop its own definition of PII.\n\n      In addition, we found no standard Department definition of a\nreportable data loss. However, the components provided a variety of\nanswers when defining what they considered a reportable data loss.\nTheir responses were generally in line with the causes of data loss\ndescribed in the DOJCERT Incident Response Plan template, which notes\nthat data loss can be caused by:\n\n            \xe2\x80\xa2   Loss or theft of a laptop, removable storage medium, or portable\n                computing device containing PII or sensitive information; . . .\n            \xe2\x80\xa2   Successful phishing, pharming, or social engineering by a\n                malicious attacker;\n            \xe2\x80\xa2   Hacker intrusion through network and system defenses;\n            \xe2\x80\xa2   Spyware, viruses, worms, Trojan horses, rootkits, backdoors,\n                keyloggers, or other malicious code installed on a computing\n                device;\n            \xe2\x80\xa2   Eavesdropping of communications at public Internet access\n                points, such as cyber cafes or hotels;\n            \xe2\x80\xa2   Eavesdropping of wireless communications; . . .\n            \xe2\x80\xa2   Failure to secure unattended documents containing sensitive\n                information or PII; and\n            \xe2\x80\xa2   Failure to clean sensitive information or PII from computers or\n                storage devices before they are discarded.53\n\n      For more discussion on each component\xe2\x80\x99s definitions of sensitive\ninformation, PII, and a reportable data loss, see Appendices I through IX.\n\nBest Practices in Increasing Employee Awareness\n\n       The OIG believes the following procedures or policies used by four\nof the nine components could be considered as a Best Practice. These\ncomponents are taking additional steps to either minimize unauthorized\naccess to sensitive information or to educate employees on their\nreporting responsibilities:\n\n\n\n       53 DOJCERT Incident Response Plan template, version 1.3, \xc2\xa7 9.4, November\n2006. Social engineering is a collection of techniques, such as phishing and pharming,\nused to manipulate people into performing actions or divulging confidential information.\nPhishing is e-mail appearing to come from a legitimate business \xe2\x80\x93 a bank, or credit card\ncompany \xe2\x80\x93 requesting \xe2\x80\x9cverification\xe2\x80\x9d of information and warning of dire consequence if it\nis not done. Pharming is a hacker\xe2\x80\x99s attack aiming to redirect a website\xe2\x80\x99s traffic to\nanother (bogus) website.\n\n\nU.S. Department of Justice                                                           29\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       \xe2\x80\xa2    The Tax Division reinforces employees\xe2\x80\x99 awareness of the 1-hour\n            reporting requirement for loss of PII by posting this information\n            prominently on its intranet.\n\n       \xe2\x80\xa2    The Criminal Division displays a variety of security tips,\n            including procedures for reporting computer security incidents,\n            on computer monitors when employees first log in.\n\n       \xe2\x80\xa2    JMD Personnel staff receives verbal briefings on the procedures\n            for reporting computer security incidents when they are given\n            the equipment necessary to use the Justice Secure Remote\n            Access system and also receive a wallet card summarizing those\n            reporting procedures.\n\n       \xe2\x80\xa2    BOP policy requires that to remove sensitive information from a\n            BOP facility, an employee must obtain written approval from the\n            Chief Executive Officer (CEO) of the facility. When requesting\n            approval, the medium of the sensitive information (e.g., paper\n            documents, electronic files), a description of the equipment\n            being used and the contents, and the purpose for the removal\n            must be documented along with the CEO\xe2\x80\x99s approval.54\n\nRecent Developments and Future Plans\n\n       The Department frequently updates its guidance on data loss\nincidents and privacy issues, or changes its policies to address a newly\nidentified need. For example, the Department must comply with the\nPrivacy Act, which regulates the collection, maintenance, use, and\ndissemination of certain types of personal information maintained by\nfederal agencies.55 The Act prohibits the disclosure of such information\nexcept with the prior written consent of the individual to whom the\ninformation pertains or if the disclosure falls within one of 12 statutory\nexceptions.56 One of these exceptions permits disclosure for a \xe2\x80\x9croutine\nuse,\xe2\x80\x9d which is defined as \xe2\x80\x9cthe use of such record for a purpose which is\ncompatible with the purpose for which it was collected.\xe2\x80\x9d57 Consistent\n\n       54   BOP, Information Security, P1237.13, March 31, 2006, Chapter 2, p. 14.\n\n        5 U.S.C. \xc2\xa7 552a. For a comprehensive overview of the Act\xe2\x80\x99s requirements, see\n       55\n\nwww.usdoj.gov/oip/04_7_1.html.\n\n       56   5 U.S.C. \xc2\xa7 552a(b).\n\n      57 5 U.S.C. \xc2\xa7\xc2\xa7 552a(b)(3) & (a)(7). An example of a published routine use for\n\nDepartment recordkeeping systems is disclosure to any criminal, civil, or regulatory law\n                                                                                (Cont\xe2\x80\x99d.)\n\nU.S. Department of Justice                                                           30\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cwith the Act, the Department and its components have published in the\nFederal Register its routine uses, \xe2\x80\x9cincluding the categories of users and\nthe purpose of such use[s].\xe2\x80\x9d58\n\n       As part of its response to a data breach, the Department might be\nrequired to disclose information protected by the Privacy Act. For\nexample, an official with the Privacy and Civil Liberties Office observed\nthat the Department of Veterans Affairs, in responding to the May 2006\nlaptop theft, contacted other federal agencies to determine whether the\ncontact information it had for the affected individuals was correct. In\nsuch a case, the Department would need to rely on a routine use to\nauthorize the disclosure. Accordingly, the Privacy and Civil Liberties\nOffice reviewed the Department\xe2\x80\x99s existing published routine uses and\ndetermined that a new routine use to cover this situation was required.\n\n        In October 2006, the Department published a notice in the Federal\nRegister describing this new routine use. The routine use would\n\xe2\x80\x9cfacilitate an effective response to a confirmed or suspected [data] breach\nby allowing for disclosure to those individuals affected by the breach, as\nwell as to others who are in a position to assist in the Department's\nresponse efforts.\xe2\x80\x9d The provision went into effect in December 2006.59\n\n       In February 2007, the Department\xe2\x80\x99s Privacy and Civil Liberties\nOffice added a Privacy Resources page to the Department\xe2\x80\x99s intranet.\nThis page provides Department employees with OMB\xe2\x80\x99s definition of PII,\nguidance and templates for preparing Privacy Impact Assessments,\ncopies of DOJ Orders and Department guidance related to the general\nprotection of privacy, and links to OMB privacy guidance.60\n\n      The Privacy and Civil Liberties Office and the Office of the CIO have\nalso drafted a Department-wide policy on notification of affected parties\n\nenforcement authority (whether federal, state, local, territorial, tribal, or foreign) where\nthe information is relevant to the recipient entity's law enforcement responsibilities.\n\n       58   5 U.S.C. \xc2\xa7 552a(e)(4)(D).\n\n       59 The Department published a minor modification in the Federal Register in\nJanuary 2007 to clarify that it is the Department that must confirm or suspect a data\nbreach before disclosure would be permitted.\n\n        60 The page defines PII as \xe2\x80\x9cinformation which can be used to distinguish or\n\ntrace an individual's identity, such as their name, social security number, date and\nplace of birth, mother's maiden name, biometric records, etc., including any other\npersonal information which is linked or linkable to a specific individual.\xe2\x80\x9d This is the\ndefinition used in OMB Memorandum M-06-19, July 12, 2006.\n\n\nU.S. Department of Justice                                                                31\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cin the event of a data loss incident that could result in identity theft. To\nensure that the Department makes notification decisions in a consistent\nmanner, the final determination about whether to notify affected parties\nin each situation will be made by high-ranking Department officials\nrather than by component officials. The draft policy calls for the\nestablishment of an Identity Theft Core Management Team, which will\nconvene in the event of a data breach and analyze the situation to\ndetermine the risk of identity theft.61 If the management team\ndetermines that there is a risk of identity theft, and that affected\nindividuals should be notified, the policy outlines factors that should be\nincorporated into the Department\xe2\x80\x99s response, including timing and the\ncontents and methods of notification. Once this policy is finalized,\nDOJCERT plans to issue an addendum to the DOJCERT Incident\nResponse Plan template explaining the procedures and the components\xe2\x80\x99\nroles in relation to them.\n\n      DOJCERT told us that later in fiscal year 2007 it plans to release\nan Incident Response Handbook to provide the components with\nadditional guidance on determining the type of data contained on lost\nequipment. The handbook will provide guidance to the components on:\n\n       \xe2\x80\xa2   Information-gathering techniques during and following an\n           incident,\n       \xe2\x80\xa2   Techniques for determining the type of data included on lost\n           equipment, and\n       \xe2\x80\xa2   Methods for identifying the level of residual risk associated with\n           each incident.\n\n\n\n\n       61 The Identity Theft Core Management Team will consist of the Associate\n\nAttorney General; the Assistant Attorneys General for Administration, the Office of Legal\nCounsel, and the Office of Legislative Affairs; an Associate Deputy Attorney General; the\nCIO; the Chief Privacy Officer; the Inspector General; and the Director of the Office of\nPublic Affairs.\n\n\nU.S. Department of Justice                                                            32\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                 CONCLUSION AND RECOMMENDATIONS\n\n\n       The Department has developed an Incident Response Plan\ntemplate to standardize the procedures that its components are required\nto follow to report computer security incidents. The nine Department\ncomponents reviewed by the OIG have all developed and implemented\ntheir own component-specific incident response plans that follow the\nDepartment\xe2\x80\x99s template. However, as of April 2007 two of the nine\ncomponents had not updated their incident response plans to conform to\nthe Department\xe2\x80\x99s November 2006 revision that requires all computer\nsecurity incidents involving PII to be reported within 1 hour.\n\n      Although the Department\xe2\x80\x99s template does not require it, we also\nfound that four of the nine components had developed additional written\nprocedures to ensure prompt reporting of incidents that occur outside\nnormal business hours and that one component\xe2\x80\x99s procedures are the\nsame 24 hours a day. To ensure that all Department employees know\nwho to call after hours to report a computer security incident, we believe\nthe Department should require all of its components to develop after-\nhours reporting procedures.\n\n      While all of the components stated that they believed their staff\nfollowed procedures established for reporting computer security incidents\nthrough their chains of command up to component headquarters, we\nfound indications that the FBI\xe2\x80\x99s IT staff was not always following the\nreporting procedures outlined in the Department\xe2\x80\x99s Incident Response\nPlan template or its own internal procedures. The FBI also was not\nreporting classified computer security incidents directly to the Security\nand Emergency Planning Staff, as required by the Department\xe2\x80\x99s Security\nProgram Operating Manual.\n\n      Because this review covered only nine components, it is unknown\nwhether other Department components are reporting all classified\ncomputer security incidents. Because of the potential risk involved in\nthe loss of classified information, we believe the Department should\nreview and ensure each component\xe2\x80\x99s compliance with the Department\xe2\x80\x99s\nrequirements for the reporting of classified security incidents.\n\n       In addition, we found that the components were not always\nreporting all computer security incidents to DOJCERT within the\ntimeframes established in the Department\xe2\x80\x99s Incident Response Plan\ntemplate. In particular, the components were not consistently reporting\nPII incidents within a 1-hour timeframe to DOJCERT, nor was DOJCERT\n\n\nU.S. Department of Justice                                              33\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cconsistently reporting PII incidents within a 1-hour timeframe to\nUS-CERT.\n\n      We believe the components need further clarification from the\nDepartment on when the 1-hour window for reporting PII begins and\nends and who must receive the report within 1 hour of discovery or\ndetection \xe2\x80\x93 component IT staff, DOJCERT, or US-CERT. Three\ncomponents remarked that the 1-hour timeframe was impractical and\nunrealistic. We believe the Department should examine and clarify the\n1-hour timeframe.\n\n       The components told us that training was the primary means of\nensuring that employees report computer security incidents. The\ntraining most often used was the Department\xe2\x80\x99s annual Computer\nSecurity Awareness Training. Also, some components have developed\nadditional methods of reminding their employees of the requirement to\nreport computer security incidents that we consider Best Practices. For\nexample, the Criminal Division displays security tips, including\nprocedures for reporting computer security incidents, on employees\xe2\x80\x99\ncomputer monitors each time they log in. We believe the Department\nand other components should examine these practices and determine if\nany should be adopted Department-wide.\n\n       Neither the Department nor any of the components we reviewed\nhave developed procedures for notifying affected individuals in the event\nof a loss of PII. To address this issue, the Department\xe2\x80\x99s Privacy and Civil\nLiberties Office and the Office of the CIO are working together to develop\na Department-wide policy. We believe this is a positive step and\nencourage the Department to finalize and issue this policy promptly.\n\n      To determine what data may have been lost as the result of a\ncomputer security incident, officials in all nine components interview the\nemployee who reported the incident. Three components have developed\nquestionnaires to conduct these interviews, while the other six\ncomponents use more informal interviewing methods. Five components\nalso use computer forensic techniques to supplement the information\nprovided by the employee. DOJCERT told us that later in fiscal year\n2007 it plans to release an Incident Response Handbook to provide the\ncomponents with additional guidance on determining the type of data\ncontained on lost equipment.\n\n      The Department has issued a standard definition of sensitive\ninformation in its Security Program Operating Manual, and seven\ncomponents have developed component-specific definitions that are\n\n\nU.S. Department of Justice                                              34\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0csimilar to the Department\xe2\x80\x99s definition. The other two components use\nthe Department\xe2\x80\x99s definition. However, officials in seven of the nine\ncomponents we reviewed stated that their components considered all\ninformation to be sensitive.\n\n       The Department currently relies on OMB\xe2\x80\x99s definition of PII. Most\nof the components reviewed expressed the opinion that the Department\nshould develop its own, more specific definition of PII because they\nbelieved that OMB\xe2\x80\x99s definition was vague and overbroad. We agree and\nencourage the Department to clarify the definition of PII.\n\nRecommendations\n\n      We make eight recommendations to help the Department improve\nits computer security incident reporting procedures, including the\nprocedures for reporting data loss and classified incidents.\n\n       We recommend that the Department:\n\n       1. Require all components to ensure their procedures cover\n          reporting of after-hours incidents.\n\n       2. Review each component\xe2\x80\x99s procedures for reporting classified\n          incidents to ensure those procedures comply with the standards\n          in the Department\xe2\x80\x99s Security Program Operating Manual.\n\n       3. Clarify the requirement that all losses of PII be reported within\n          1 hour and to whom so that all Department employees\n          understand who to report to and when the 1-hour timeframe\n          begins and ends.\n\n       4. Ensure all components meet the established reporting\n          timeframes.\n\n       5. Promptly implement a Department-wide policy for notifying\n          affected individuals in the event of a loss of PII.\n\n       6. Develop a Department-specific definition of PII.\n\n       7. Consider whether any of the procedures described as \xe2\x80\x9cBest\n          Practices\xe2\x80\x9d should be implemented across the Department.\n\n       8. Ensure that components update their internal policies to reflect\n          correct reporting procedures in conformance with the DOJCERT\n\n\nU.S. Department of Justice                                                35\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c          Incident Response Plan template and contain up-to-date titles\n          of internal departments and staff.\n\n\n\n\nU.S. Department of Justice                                            36\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                APPENDIX I: ATF REPORTING PROCEDURES\n\n\nIntroduction\n\n       Between December 2005 and November 2006, ATF reported 70\ncomputer security incidents to DOJCERT, including 8 incidents involving\npotential PII loss and 1 incident potentially involving classified\ninformation.62 According to ATF officials we interviewed, a reportable\ncomputer security incident is the loss of any data on an electronic device\nsuch as a laptop or BlackBerry device, receipt of an e-mail with a virus,\nor a server failure or hard drive crash in which all information was not\nbacked up and could not be fully restored or reconstructed. ATF policy\ndefines a computer security incident as \xe2\x80\x9cany event or condition that has\nthe potential to affect the security or accreditation of an automated\ninformation system and that may result from either intentional or\nunintentional actions.\xe2\x80\x9d63 ATF considers \xe2\x80\x9csecurity incident\xe2\x80\x9d synonymous\nwith \xe2\x80\x9csecurity violation,\xe2\x80\x9d which is defined as \xe2\x80\x9can event that may result in\nthe disclosure of sensitive information to unauthorized individuals or\nthat results in the unauthorized modification or destruction of system\ndata, the loss of computer system processing capability, or the loss or\ntheft of any computer system resources.\xe2\x80\x9d64\n\n      ATF policy defines sensitive information as a category of\nunclassified information. Sensitive information is used synonymously\nwith Sensitive But Unclassified and defined as \xe2\x80\x9cany information, the loss,\nmisuse, or unauthorized access to, or modification of which could\nadversely affect the national interest or the conduct of federal\nprograms.\xe2\x80\x9d65\n\n      ATF has no written definition of PII but stated that in practice it\ndefines PII as a collection of several pieces of information that can be\nused to identify a specific person or to construct an identity; for example,\na social security number plus an address constitutes PII. What\nconstitutes PII is a judgment call, according to ATF staff we interviewed,\n\n       62  As of January 31, 2007, the loss of PII had been confirmed in two of these\neight incidents. The remaining six incidents involve potential losses of PII.\n\n       63 ATF H 7250.1, Automated Information System Security Program,\nJuly 26, 2006, p. B-13.\n\n       64   ATF H 7250.1, p. B-14.\n\n       65   ATF H 7250.1, p. B-14.\n\n\nU.S. Department of Justice                                                              37\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cand they believed there should be more guidance from the Department\nregarding this definition. According to these officials, PII was not a term\nthat was used prior to the May 2006 Department of Veterans Affairs\xe2\x80\x99\nlaptop theft. 66\n\n      ATF uses the definition of classified information contained in\nExecutive Order 12958, as Amended, Classified National Security\nInformation, dated March 25, 2003.67 This order requires all components\nin the Department and other executive branch agencies to use its\nuniform definitions.\n\nReporting Procedures\n\n     ATF has three written policies that define procedures for reporting\ncomputer security incidents:\n\n       \xe2\x80\xa2    Automated Information System Security Program\n            (ATF H 7250.1), dated July 26, 2006;\n       \xe2\x80\xa2    Computer Security Incident Response Capability Incident\n            Response Plan, dated July 24, 2006; and\n       \xe2\x80\xa2    Computer Security Incident Response Capability,\n            (ATF Order O 7500.4A), dated April 12, 2005.\n\n      The Automated Information System Security Program establishes\nthe requirements for managing ATF\xe2\x80\x99s information systems to ensure the\nconfidentiality, integrity, and accountability of those systems. It\ncomplements the DOJCERT and ATF Incident Response Plans by\nproviding more detailed security roles and responsibilities for all\nemployees and by expanding on the responsibilities and reporting\n\n        66 Previous regulatory guidance from NIST on information systems did not\n\nspecifically define PII and as a result, Department components were not required to\nidentify which systems process or store PII. OMB Memorandums M-06-15 and\nM-06-19 issued in May and July 2006 respectively, required federal agencies to identify\nand ensure adequate safeguards to protect systems that contain PII, defined PII, and\nrequired, for the first time, that all incidents involving PII be reported to US-CERT\nwithin 1 hour.\n\n       67  Executive Order 12958 provides for three classification levels. The \xe2\x80\x9cTop\nSecret\xe2\x80\x9d classification shall be applied to information, the unauthorized disclosure of\nwhich reasonably could be expected to cause exceptionally grave damage to the national\nsecurity. The \xe2\x80\x98\xe2\x80\x98Secret\xe2\x80\x99\xe2\x80\x99 classification shall be applied to information, the unauthorized\ndisclosure of which reasonably could be expected to cause serious damage to the\nnational security. The \xe2\x80\x98\xe2\x80\x98Confidential\xe2\x80\x99\xe2\x80\x99 classification shall be applied to information, the\nunauthorized disclosure of which reasonably could be expected to cause damage to the\nnational security.\n\n\nU.S. Department of Justice                                                             38\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cinstructions for specific staff in the event of a computer security incident.\nHowever, this policy also provides contradictory guidance to ATF\nemployees. In two sections of the policy, it lists the Help Desk as the\nprimary point of contact for all users to contact when reporting computer\nsecurity incidents. In two other sections, it lists the Information Systems\nSecurity Office as the primary point of contact.\n\n       ATF\xe2\x80\x99s July 2006 Incident Response Plan conforms to the DOJCERT\nIncident Response Plan template, and lists the roles and responsibilities\nfor ATF employees when reporting all suspicious computer events or\nincidents to ATF\xe2\x80\x99s Help Desk or Security Office. Section 9.3 of this plan,\ntitled \xe2\x80\x9cIncident Reporting,\xe2\x80\x9d includes ATF-specific procedures for reporting\ncomputer security incidents for the categories of technical/non-sensitive,\nsensitive, and classified information. DOJCERT added the data loss and\nPII requirements to its Incident Response Plan template in November\n2006 with the requirement that all components incorporate this update\nby December 29, 2006. As of April 17, 2007, ATF has updated its\nIncident Response Plan to reflect requirements for reporting data loss\nincidents that include the loss of PII, but has not yet submitted it to\nDOJCERT for approval. ATF stated that this update will also include\nafter-hours reporting procedures.\n\n      The Computer Security Incident Response Capability policy also\ndescribes expanded duties, responsibilities, and guidance to all ATF\nemployees to respond to computer security incidents.\n\n       Reporting procedures are to be initiated as soon as an employee\nrealizes that a potential computer security incident has occurred.\nReporting procedures for non-sensitive, sensitive, and classified\ninformation are described below.\n\nNon-Sensitive Information\n\n      For non-sensitive information, all ATF employees are required to\nreport computer security incidents to the Help Desk by telephone,\nfacsimile, e-mail, or in person, or via secure U.S. Postal Service mail.\nAccording to ATF officials, in practice the employee, although not\nrequired by written policy, will also notify his or her supervisor.68\n\n\n\n       68 According to ATF officials, ATF employees in the field offices report security\n\nincidents to their field supervisors who in turn report the incidents through their chain\nof command to the Help Desk and the Information Systems Security Office at ATF\nHeadquarters.\n\n\nU.S. Department of Justice                                                             39\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       According to ATF officials, the Help Desk is used as the main point\nof contact for all incidents and is responsible for reporting all incident-\nrelated information to the Information Systems Security Office.69 The\nperson serving as the Information Systems Security Officer also serves as\nthe Computer Security Incident Response Capability Coordinator. The\nInformation Systems Security Office is required to report computer\nsecurity incidents to DOJCERT within the timeframes required for the\npriority level of the incident as established in the DOJCERT Incident\nResponse Plan. The Information Systems Security Office is required to\nnotify DOJCERT by logging into the Archer Database and recording the\nincident. The Archer Database also serves as ATF\xe2\x80\x99s incident tracking\nsystem. When appropriate, the Information Systems Security Office may\nalso notify managers such as the employee\xe2\x80\x99s Division Chief and the\nOffice of Operations Security and even the Department\xe2\x80\x99s CIO.\n\n       When laptops or BlackBerry devices are lost or stolen, the ATF\nInvestigations Division, Office of Professional Responsibility, and Security\nOperations must be notified. Also, in the event of a theft of a laptop or\nBlackBerry device, the employee involved is required to contact local law\nenforcement and may be required to provide a copy of the police report to\nhis or her supervisor. For such thefts, the Information Systems Security\nOffice also is required to notify the FBI, which should enter the stolen\ndevice\xe2\x80\x99s serial number into the National Crime Information Center (NCIC)\nsystem.70 The ATF Investigations Division should be notified by the\nInformation Systems Security Office of all incidents in which employee\nmisconduct may be involved. Chart 5 shows ATF\xe2\x80\x99s reporting procedures\nfor loss of non-sensitive information.\n\n\n\n\n       69  Help Desk staff also are responsible for recording all incident reports from\nemployees and making an initial assessment of the criticality (classified,\nmission-critical, and so forth) and the priority level of the incident and for assigning the\nincident to the Computer Security Incident Response Capability team for investigation.\n\n        70 The NCIC is a computerized index of criminal justice information (i.e.,\n\ninformation on criminal histories, fugitives, stolen property, missing persons, foreign\nfugitives, immigration violators, violent gangs, and terrorist organizations) maintained\nby the FBI.\n\n\nU.S. Department of Justice                                                               40\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c    Chart 5: Flowchart of ATF\xe2\x80\x99s Reporting Procedures for Loss of\n                    Non-Sensitive Information\n\n\n                                                Information\n                                                  Systems\n     Employee              Help Desk                                   DOJCERT\n                                                  Security\n                                                   Office\n\n\nSensitive Information\n\n       If sensitive information, including PII, is involved, ATF employees\nare required to contact the Information Systems Security\nOfficer/Computer Security Incident Response Capability Coordinator\ndirectly. The Officer is then required to contact DOJCERT within the\ntimeframes required for the category of incident. The Officer is also\nrequired to notify the Help Desk. Chart 6 shows ATF\xe2\x80\x99s reporting\nprocedures for loss of sensitive information.\n\n    Chart 6: Flowchart of ATF\xe2\x80\x99s Reporting Procedures for Loss of\n                       Sensitive Information\n\n\n                              Information Systems\n                                    Security\n                                                    If PII within\n                                Office/Computer     1 hour\n          Employee              Security Incident                   DOJCERT\n                              Response Capability\n                                  Coordinator\n\n\n\n\n                                 Help Desk\n\n\n\nClassified Information\n\n      If classified information is involved, employees are required to\ncontact the Information Systems Security Officer/Computer Security\nIncident Response Capability Coordinator in person or via secured\nfacsimile or secure telephone. ATF officials told us that in practice the\nemployee, although not required by written policy, will also notify his or\nher supervisor. The Computer Security Incident Response Capability\nCoordinator has a Top Secret clearance to respond to such incidents.\n\n\nU.S. Department of Justice                                                       41\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cThe Information Systems Security Office is then required to contact both\nDOJCERT and Security and Emergency Planning Staff (SEPS), which\nhandles the Department\xe2\x80\x99s classified incidents. ATF does not provide\nDOJCERT or SEPS with details concerning the specific classified\ninformation that was lost or compromised. Chart 7 shows ATF\xe2\x80\x99s\nreporting procedures for loss of classified information.\n\n    Chart 7: Flowchart of ATF\xe2\x80\x99s Reporting Procedures for Loss of\n                      Classified Information\n\n\n                                 Information Systems\n                                                                DOJCERT\n                                   Security Office/\n                                  Computer Security\n            Employee              Incident Response\n                                      Capability\n                                     Coordinator                   SEPS\n\n\n\n            Supervisor\n\n\n\n\nIndications of Compliance with Reporting Procedures\n\n       ATF officials told us that they believed their employees were\nfollowing the correct reporting procedures. While we did not validate this\nstatement, our analysis of the Archer Database showed that ATF was not\nalways reporting computer security incidents, including PII, within the\nrequired timeframes specified in both the DOJCERT and ATF Incident\nResponse Plans. Between December 2005 and November 2006, ATF\nreported 78 percent of its computer security incidents to DOJCERT\nwithin the required timeframes. Further, 66 percent of the PII incidents\nthat occurred on or after July 12, 2006 were reported within the required\n1-hour timeframe.71 Table 7 shows ATF\xe2\x80\x99s reporting in each category.72\n\n\n\n       71 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006.\n\n        72 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                          42\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c           Table 7: ATF\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                             Reported     Reported   Could not\n                      Reporting  Incidents     within       after    compute\nCategory             timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                         None             2         N/A         N/A           2\n(Exercise/Test)\nCategory 1\n(Unauthorized           1 hour           13           2           10          1\nAccess)\nCategory 2\n                       2 hours            0         N/A         N/A         N/A\n(Denial of Service)\nCategory 3\n                         1 day            9           5            2          2\n(Malicious Code)\nCategory 4\n                        1 week            5           3            1          1\n(Improper Usage)\nCategory 5\n                       1 month           18          17            0          1\n(Scans/Probes)\nCategory 6\n                         None             5         N/A         N/A           5\n(Investigation)\nCategory 7\n                       1 month           18          18            0          0\n(Spam)\nTotal                                    70          45           13         12\nPII incidents\noccurring on or         1 hour            6           4            2          0\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\nEnsuring All Incidents Are Reported\n\n       Although ATF uses several methods to ensure employees know to\nreport computer security incidents involving potential data loss, it relies\nprimarily on training. ATF uses the Department\xe2\x80\x99s required annual\nComputer Security Awareness Training to educate and remind staff of\ntheir reporting responsibilities as well as of what is considered a\nreportable incident. All employees are also required to read and sign\nATF\xe2\x80\x99s Conduct and Accountability and Rules of Behavior statements that\naddress employees\xe2\x80\x99 responsibilities regarding the reporting of any\nincidents of improper use and the security and care of accountable\nproperty assigned to them. ATF also told us that it conducts property\naudits annually in which all staff are asked to bring in their accountable\n\n\n\nU.S. Department of Justice                                                           43\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cproperty to check against inventory. If property (such as a laptop or a\nBlackBerry device) is missing, the inventory uncovers the loss.\n\nNotification to Affected Parties\n\n      ATF has not developed policies concerning notification to affected\nparties in the event of a loss of PII.\n\nDetermining the Type of Data Lost\n\n       To determine the type of data lost or compromised, ATF relies on\ninterviewing the employee involved through an investigation conducted\nby the Computer Security Incident Response Capability team (which\nincludes the Information Systems Security Officer as Computer Security\nIncident Response Capability Coordinator). The team determines, among\nother things, the type of incident, its level of impact, what action needs to\nbe taken, and who should be involved in the investigation process. In\ninterviewing the employee, the team attempts to determine what\ninformation may have been stored on the device. ATF staff told us that\nthe Information Systems Security Office created a list of interview\nquestions to help identify the lost or compromised data. ATF may also\ntry to identify information on the employee\xe2\x80\x99s hard drive through the\nnetwork system.\n\n\n\n\nU.S. Department of Justice                                                44\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c               APPENDIX II: BOP REPORTING PROCEDURES\n\n\nIntroduction\n\n       Between December 2005 and November 2006, the BOP reported\n252 security incidents to DOJCERT, including 24 incidents involving\npotential PII loss.73 None of the incidents involved the loss of classified\ninformation.74 According to BOP officials we interviewed, a reportable\ncomputer security incident or a reportable data loss includes the loss of\nPII, data lost due to a corrupted data system, violation of the Privacy Act,\nor an unauthorized release of information. A computer security incident\nor \xe2\x80\x9cviolation\xe2\x80\x9d is defined by the BOP in its Information Security policy as\nan event such as password sharing, social engineering, computer\nhacking, software viruses, or other unauthorized information or system\naccess, theft, or loss of automatic data processing equipment.75\n\n      The BOP defines sensitive information as information that, if\nreleased to the public, would pose an unacceptable risk to the BOP, its\nemployees, or its inmate population. The BOP considers the term\n\xe2\x80\x9csensitive\xe2\x80\x9d to be synonymous with Sensitive But Unclassified. All of the\nBOP\xe2\x80\x99s databases are considered Sensitive But Unclassified. The BOP\ndoes not have a policy that specifically defines PII as it is treated as\nsynonymous with sensitive information.\n\nReporting Procedures\n\n      The BOP relies on two documents, in addition to the DOJCERT\nIncident Response Plan template, when reporting incidents of data loss:\n\n   1. BOP Information Security Policy, which provides primarily for the\n      security and maintenance of information, computers, terminals,\n      telecommunications, and data communications systems. This\n      policy also provides incident response and reporting procedures,\n\n       73 As of January 31, 2007, the loss of PII has been confirmed in 4 of these 24\nincidents. The remaining 20 incidents involve potential losses of PII.\n\n       74   The BOP processes classified information on a very limited basis as its\nnetworks are not authorized to process classified information. The BOP has only one\nstand-alone laptop computer that is authorized for classified processing, located at BOP\nCentral Office. A second networked laptop, also physically located at BOP Central\nOffice, is owned by the FBI who must approve all system access.\n\n       75   BOP, Information Security, P1237.13, March 31, 2006, Chapter 2, pp. 24-25.\n\n\nU.S. Department of Justice                                                              45\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       describes staff responsibilities related to information and computer\n       security (including the BOP\xe2\x80\x99s Rules of Behavior), and sets annual\n       training requirements to meet those responsibilities; and\n\n   2. BOP Incident Response Plan, which is consistent with the\n      DOJCERT Incident Response Plan template and was updated to\n      reflect DOJCERT\xe2\x80\x99s most recent November 2006 changes that\n      incorporate reporting procedures for loss of PII.\n\n       The BOP\xe2\x80\x99s Information Security Policy instructs employees in all\ninstitutions, Regional Offices, and Community Corrections Centers to\nreport computer security violations to the facility Information Security\nOfficer as soon as possible. Employees are also required to report loss or\ntheft to the Property Officer. The Information Security Officer is required\nto then notify the BOP\xe2\x80\x99s Central Office Information Security Programs\nSection. Employees at the BOP\xe2\x80\x99s Central Office are to notify the\nInformation Security Programs Section directly rather than reporting\nthrough an Information Security Officer. If PII is involved, notification is\nrequired to be made to the Information Security Programs Section within\n1 hour. The Information Security Programs Section should then notify\nDOJCERT within the timeframes specified in the BOP Incident Response\nPlan. The BOP\xe2\x80\x99s Incident Response Plan, revised in December 2006,\nreflects timeframes in which to notify DOJCERT depending on the\ncategory and severity of the incident.\n\n       The Information Security policy further states that relevant\nsupervisors, managers, executive staff, and Regional Administrators\nshould also be notified. The Information Security Officer therefore\nnotifies the appropriate chain of command (facility executive staff and\nregional personnel), including the Information Security Programs Section\nat the Central Office. The Information Security Officer, upon verification\nof the security threat, is encouraged to notify other facilities or localities\nthat may be similarly susceptible to a particular security violation. Chart\n8 shows the BOP\xe2\x80\x99s reporting procedures for loss of sensitive information.\n\n      Although the BOP\xe2\x80\x99s processing of classified information is very\nlimited, a BOP official told us that if a computer security incident\noccurred involving classified information, they would follow the\nDepartment\xe2\x80\x99s SPOM and report the incident to the Department\xe2\x80\x99s Security\nOfficer.\n\n\n\n\nU.S. Department of Justice                                                 46\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c  Chart 8: Flowchart of the BOP\xe2\x80\x99s Reporting Procedures for Loss of\n                       Sensitive Information\n\n\n                                                           if classified\n                                                                                  SEPS\n\n\n\n                       Facility              Central Office     If PII within\n    Facility         Information              Information       1 hour\n                                            Security P rogram\n                                                                                DOJCERT\n   e mploye e          Security\n                                                Section\n                        Officer\n\n\n   Prope rty\n   Manage r\n\n\n\n    Central\n     office\n   employee\n\n\n      If a computer security incident occurs after hours at one of the\nBOP facilities, the employee should call the facility\xe2\x80\x99s Control Center,\nwhich is manned 24 hours a day. The Control Center then calls the\nInformation Security Officer at home. The Information Security Officer\nshould then follow the procedures described above. Chart 9 shows the\nBOP\xe2\x80\x99s procedures for after-hours reporting of loss of sensitive\ninformation.\n\n   Chart 9: Flowchart of BOP Facility Staff After-Hours Reporting\n            Procedures for Loss of Sensitive Information\n\n\n                                                              Central\n                                                               Office\n                                                                           If PII within\n                                        Facility\n                     Facility                                              1 hour\n   Facility                           Information           Information\n                     Control\n                                                              Security\n                                                                                           DOJCERT\n  Employe e                             Security\n                     Center\n                                         Officer              P rogram\n                                                              Section\n\n\n\n\n     In the event of a theft of a laptop or BlackBerry device at the\nCentral Office, the BOP is required to report the theft to Federal\n\n\n\n\nU.S. Department of Justice                                                                  47\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cProtective Service.76 If a theft or other computer security crime occurs at\na facility, the FBI should be notified because it has jurisdiction to\ninvestigate crimes occurring in federal prisons. Employees should\ncontact the local police department in the event of a laptop or BlackBerry\ndevice theft off-site. Any of these law enforcement officials should enter\nthe theft into the NCIC database. Additionally, if employee negligence is\nsuspected, the incident should be referred to the BOP Office of Internal\nAffairs and the OIG for possible investigation.\n\nIndications of Compliance with Reporting Procedures\n\n       BOP officials told us that they believed their employees were\nfollowing the correct reporting procedures. While we did not validate this\nstatement, our analysis of the Archer Database showed that the BOP was\nnot always reporting computer security incidents, including PII, within\nthe required timeframes specified in both the DOJCERT and BOP\nIncident Response Plans. Between December 2005 and November 2006,\nBOP reported only 37 percent of its computer security incidents to\nDOJCERT within the required timeframes. Further, only 14 percent of\nthe PII incidents that occurred on or after July 12, 2006 were reported to\nDOJCERT within the required 1-hour timeframe.77 Table 8 shows the\nBOP\xe2\x80\x99s reporting in each category.78\n\n\n\n\n       76  The Department of Homeland Security\xe2\x80\x99s Federal Protective Service provides\nlaw enforcement and security services to federal government agencies who occupy\nfederally owned and leased facilities nationwide.\n\n       77 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006.\n\n        78 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                          48\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c        Table 8: The BOP\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                            Reported     Reported   Could not\n                     Reporting  Incidents    within        after     compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None             4        N/A          N/A           4\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour           19           2           17          0\nAccess)\nCategory 2\n                      2 hours            2           0            2          0\n(Denial of Service)\nCategory 3\n                        1 day         144           34           98         12\n(Malicious Code)\nCategory 4\n                       1 week           34          17           17          0\n(Improper Usage)\nCategory 5\n                      1 month           19          15            2          2\n(Scans/Probes)\nCategory 6\n                        None            14        N/A          N/A          14\n(Investigation)\nCategory 7\n                      1 month           16          12            1          3\n(Spam)\nTotal                                 252           80         137          35\nPII incidents\noccurring on or        1 hour            7           1            6          0\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\nEnsuring All Incidents Are Reported\n\n      The BOP relies on several methods to ensure that all computer\nsecurity incidents are reported: training, program reviews, and policies.\nThe BOP administers annual computer security training to all staff to\neducate them on their reporting responsibilities. The BOP also said that\nit conducts program reviews to ensure reporting procedures are being\nfollowed in the program area of information security. A BOP program or\noperational review is required annually for each facility\xe2\x80\x99s Information\nSecurity program.79 Program reviews are a system of internal reviews\nconducted by BOP staff who are subject matter experts in the program\n\n\n       79   BOP, Information Security, P1237.13, March 31, 2006.\n\n\nU.S. Department of Justice                                                           49\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cunder review. These reviews ensure that programs are in compliance\nwith applicable laws, regulations, and policies.\n\n        The BOP Property Management Manual also establishes employee\nresponsibilities for the management and control of government-owned\npersonal property such as laptops and BlackBerry devices.80 Designated\nProperty Officers are responsible for maintaining up-to-date computer\ninventories of all accountable government-owned personal property and\nreconciling that property list against required quarterly and annual\nphysical inventories conducted in all BOP facilities. According to policy,\nif a lost or stolen electronic device was not reported, both the Property\nOfficer and the employee are held liable for the property. The Property\nManagement Manual states that it is the employee\xe2\x80\x99s duty to report loss,\ntheft, or damage to accountable property and requires that reports be\nmade to the Property Officer upon discovery (but no later than the next\nworking day).\n\n       This policy also establishes the Board of Survey, a BOP committee\nthat investigates the circumstances surrounding lost, stolen, missing,\ndamaged, or destroyed government-owned personal property. The board\nmakes recommendations consistent with the findings disclosed by its\nreview and, if applicable, may refer cases to the Office of Internal Affairs,\nwhich can refer cases to the OIG or the Criminal Division for\nprosecution.\n\n       The BOP also has Rules of Behavior concerning the use and\nsecurity of computer systems.81 The rules notify employees that sensitive\ninformation is to be protected from disclosure to unauthorized\nindividuals and that they will be sanctioned for unauthorized use,\ndisclosure, destruction, or misuse of information resources. The rules\nalso state that security violations and system vulnerabilities are to be\nimmediately reported to the appropriate authorities.\n\nNotification to Affected Parties\n\n       The BOP has not developed policies concerning notification to\naffected parties in the event of a loss of PII.\n\n\n\n\n       80   BOP, Property Management Manual, P4400.05, May 26, 2004.\n\n       81 The BOP\xe2\x80\x99s Rules of Behavior are contained in a BOP policy entitled\n\nInformation Resources Protection, P1237.12, February 20, 2001.\n\n\nU.S. Department of Justice                                                     50\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cDetermining the Type of Data Lost\n\n      The BOP said that it determines the type of data lost by having the\nInformation Security Officer interview the employee involved in the\ncomputer security incident. The BOP Information Security policy states\nthat the Information Security Officer may perform a preliminary review to\nconfirm that a computer security violation has occurred.\n\n        In addition, the BOP also said that it has instituted controls to\nrestrict employee access to sensitive data. The head of a facility is\nrequired to give written approval to employees before they remove laptops\n(or other devices) to process sensitive data off-site, such as while at home\nor traveling on official business. According to policy, a written request\nfrom the employee must include the type of device (such as a laptop), a\ndescription of the contents, and the purpose of the data removal.82\nHowever, in practice, according to interviews, it is up to the head of each\nfacility whether the contents are actually described in the request.\n\n\n\n\n       82   BOP, Information Security, P1237.13, March 31, 2006, p. 14.\n\n\nU.S. Department of Justice                                                51\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c   APPENDIX III: CRIMINAL DIVISION REPORTING PROCEDURES\n\n\nIntroduction\n\n       Between December 2005 and November 2006, the Criminal\nDivision reported 24 security incidents to DOJCERT, including 5\nincidents involving potential PII loss and 10 incidents potentially\ninvolving classified information.83 The Criminal Division considers a\nreportable data loss to be information on lost electronic media (CD-ROM,\ndisk, or tape), and electronic devices (BlackBerry device or laptop), or\ninformation intentionally or inadvertently released from its network.\nSeveral Criminal Division policies refer to the term \xe2\x80\x9cSensitive But\nUnclassified\xe2\x80\x9d without defining it. In general, the Criminal Division\nconsiders all of its information to be sensitive and relies on the\nDepartment\xe2\x80\x99s definition of the term \xe2\x80\x9csensitive information.\xe2\x80\x9d84 The\nCriminal Division uses the definition of PII found in OMB Memorandum\nM-06-19 and therefore considers PII to be \xe2\x80\x9cany information about an\nindividual\xe2\x80\x9d that is \xe2\x80\x9cmaintained by an agency . . . which can be used to\ndistinguish or trace an individual\xe2\x80\x99s identity.\xe2\x80\x9d To define classified\ninformation, the Criminal Division relies on the National Security\nInformation definition in Executive Order 12958, as Amended, Classified\nNational Security Information, dated March 25, 2003.\n\nReporting Procedures\n\n       The Criminal Division uses a single Incident Response Plan for\naddressing the reporting of sensitive, PII, and classified computer\nsecurity incidents. The division has updated its plan to conform to the\nDOJCERT template of November 2006 and identifies the seven categories\nof incidents that should be reported to DOJCERT within specified\ntimeframes. Reporting procedures are as follows for sensitive, PII, and\nclassified information.\n\n\n       83 As of January 31, 2007, the loss of PII has been confirmed in one of these five\nincidents. The remaining four incidents involve potential losses of PII.\n\n       84  The Department\xe2\x80\x99s Security Program Operating Manual defines sensitive\ninformation as \xe2\x80\x9cany information, the loss, misuse, modification of, or unauthorized\naccess to, could affect the national interest, law enforcement activities, the conduct of\nFederal programs, or the privacy to which individuals are entitled under Section 552a of\nTitle 5, U.S. Code, but that has not been specifically authorized under criteria\nestablished by an executive order or an act of Congress to be kept classified in the\ninterest of national defense or foreign policy.\xe2\x80\x9d\n\n\nU.S. Department of Justice                                                            52\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cSensitive and PII Reporting Procedures\n\n      Criminal Division employees are required to report a potential\nsensitive computer security incident \xe2\x80\x9cimmediately\xe2\x80\x9d to the division\xe2\x80\x99s\nInformation Technology Management Help Desk when it is determined\nthat an incident has occurred. The Help Desk should then log the\nincident information into its ticketing database and notify the Incident\nResponse Team consisting of the Incident Response Team Coordinator,\nthe Information Systems Security Manager, and the Network Security\nOfficer. The Incident Response Team members should then determine\nthe information that needs to be collected for the initial informal incident\nreport and provide this report either verbally or in written form to\nDOJCERT. Once more information becomes known, the Network\nSecurity Officer should send a formal Preliminary Incident Report to\nDOJCERT, usually within 24 hours.\n\n       If a computer security incident involving a potential loss of PII\noccurs during normal work hours, Criminal Division employees should\nfollow the same process as when reporting a sensitive data loss, except\nthat the Incident Response Team makes an informal verbal or written\nreport to DOJCERT within 1 hour. The Network Security Officer is\ndirected to follow up with a formal Preliminary Incident Report within 24\nhours. Chart 10 shows the Criminal Division\xe2\x80\x99s reporting procedures for\nloss of sensitive information, including PII.\n\nChart 10: Flowchart of Criminal Division\xe2\x80\x99s Reporting Procedures for\n            Loss of Sensitive Information, Including PII\n\n\n                       Information                      If PII within\n                                            Incident\n                       Technology                       1 hour\n Employee                                   Response                    DOJCERT\n                       Management\n                                              Team\n                        Help Desk\n\n\n\nClassified Information Incidents\n\n       The Criminal Division is required to follow the procedures\ncontained in the Department\xe2\x80\x99s Security Program Operating Manual for\nreporting classified incidents. In addition to the notifications to the Help\nDesk and DOJCERT described above, the Incident Response Team also is\nrequired to notify the Department\xe2\x80\x99s Security and Emergency Planning\nStaff (SEPS). Chart 11 shows the Criminal Division\xe2\x80\x99s reporting\nprocedures for loss of classified information.\n\n\nU.S. Department of Justice                                                   53\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       Chart 11: Flowchart of the Criminal Division\xe2\x80\x99s Reporting\n             Procedures for Loss of Classified Information\n\n\n                                                                     DOJCERT\n                        Information\n                                              Incident\n                        Technology\n Employee                                     Response\n                        Management\n                                                Team\n                         Help Desk\n                                                                        SEPS\n\n\n\nAfter-Hours Reporting Procedures\n\n       If a sensitive, PII, or classified incident occurs after normal work\nhours, the employee involved should call the Help Desk representative\nwho is on-call after hours. The Help Desk should notify the Incident\nResponse Team who then notifies DOJCERT and SEPS (if the incident\ninvolves classified information). The Help Desk or a member of the\nIncident Response Team is required to follow up with the employee to\nensure that all of the facts about the incident are collected and the\nincident has been properly reported to DOJCERT via a Preliminary\nIncident Report. According to the Criminal Division\xe2\x80\x99s Incident Response\nPlan, if the employee does not receive a return phone call from the Help\nDesk representative within 10 minutes, the employee then should report\nthe computer security incident directly to DOJCERT. If the incident\ninvolves classified information the employee should also notify SEPS.\nChart 12 shows the Criminal Division\xe2\x80\x99s procedures for after-hours\nreporting of sensitive, PII, or classified computer security incidents.\n\n\n\n\nU.S. Department of Justice                                               54\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c     Chart 12: Flowchart of the Criminal Division\xe2\x80\x99s After-Hours\n     Procedures for Reporting Loss of Sensitive, PII, or Classified\n                            Information\n\n                                                                          If PII within\n                                                                          1 hour\n                               Information                                                DOJCERT\n                               Technology\n                                                         Incident\n                               Management\n        Employee                                         Response\n                                Help Desk\n                                                           Team\n                              Representative\n                                 On Call                                                   SEPS\n\n\n        If Help Desk\n           does not\n       return phone\n       call w ithin 10\n           minutes\n\n\n\n\nIndications of Compliance with Reporting Procedures\n\n       Criminal Division officials told us that they believed their\nemployees were following the correct reporting procedures. While we did\nnot validate this statement, our analysis of the Archer Database showed\nthat the Criminal Division was not always reporting computer security\nincidents, including PII, within the required timeframes specified in both\nthe DOJCERT and Criminal Division Incident Response Plans. Between\nDecember 2005 and November 2006, the Criminal Division reported 60\npercent of its computer security incidents to DOJCERT within the\nrequired timeframes. However, none of the PII incidents that occurred on\nor after July 12, 2006 were reported within the required 1-hour\ntimeframe.85 Table 9 shows the Criminal Division\xe2\x80\x99s reporting in each\ncategory.86\n\n       85 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006.\n\n        86 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                           55\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c Table 9: The Criminal Division\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                             Reported    Reported     Could not\n                     Reporting   Incidents    within       after       compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None             0        N/A          N/A           N/A\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour            1           0           1             0\nAccess)\nCategory 2\n                      2 hours            0        N/A          N/A           N/A\n(Denial of Service)\nCategory 3\n                        1 day            8           2           4             2\n(Malicious Code)\nCategory 4\n                       1 week            8           6           2             0\n(Improper Usage)\nCategory 5\n                      1 month            3           3           0             0\n(Scans/Probes)\nCategory 6\n                        None             2        N/A          N/A             2\n(Investigation)\nCategory 7\n                      1 month            2           1           1             0\n(Spam)\nTotal                                   24          12           8             4\nPII incidents\noccurring on or        1 hour            4           0           4             0\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\nEnsuring All Incidents Are Reported\n\n       While the Criminal Division uses several methods to ensure that\nemployees report incidents of data loss, it primarily relies on training and\nthe Rules of Behavior. The annual Computer Security Awareness\nTraining that is required of all Department employees includes a segment\non protecting, preventing, and reporting PII loss or compromise. The\nRules of Behavior require users to immediately report any evidence of\ntampering with a computer. A member of the Information Technology\nManagement staff also told us that employees must read and sign the\nRules of Behavior when they are hired and must review them on a yearly\nbasis.\n\n\n\nU.S. Department of Justice                                                           56\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      Additionally, Criminal Division officials told us that when each\ncomputer in the Criminal Division starts up it displays a security\nstatement screen and gives examples of security incidents, which serves\nas a daily reminder to all employees of their responsibility to report\nincidents. The Criminal Division also said it uses a physical property\ninventory to identify missing electronic devices.\n\nNotification to Affected Parties\n\n       The Criminal Division has not developed policies concerning\nnotification to affected parties in the event of a loss of PII.\n\nDetermining the Type of Data Lost\n\n      The Criminal Division said that it generally interviews its\nemployees and obtains a statement of facts as the primary means for\ndetermining what information was on a disk, laptop, or other electronic\ndevice that was lost, stolen, or compromised. According to one\nInformation Technology Management official, employees \xe2\x80\x9cknow what was\non the device.\xe2\x80\x9d\n\n       In addition to interviewing the employee, the Criminal Division said\nthat it has controls in place to monitor what is on electronic devices. For\nexample, the Criminal Division said that a record is made of all e-mail\nthat passes through a server to and from a BlackBerry device, so that if a\nBlackBerry device were lost, a method to identify the e-mail information\non the device is available. Also, the Criminal Division said that a \xe2\x80\x9ckill\nsignal\xe2\x80\x9d can be sent to a BlackBerry device once its loss is known,\nrendering it useless and the information on it inaccessible.\n\n\n\n\nU.S. Department of Justice                                              57\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c              APPENDIX IV: DEA REPORTING PROCEDURES\n\n\nIntroduction\n\n      Between December 2005 and November 2006, the DEA reported\n43 security incidents to DOJCERT, including 6 incidents involving\npotential PII loss and 2 incidents potentially involving classified\ninformation.87 The DEA considers a reportable computer security\nincident to be any loss of electronic devices that might contain sensitive\ninformation such as laptops, flash drives, removable hard drives, tapes,\nor CD-ROMs.\n\n      The DEA considers all of its information to be sensitive,\ncategorizing it as either Sensitive But Unclassified, Law Enforcement\nSensitive, For Official Use Only, or DEA Sensitive. The DEA defines\nSensitive But Unclassified information as information subject to controls\noutside the formal system for classifying National Security Information\nand considers Sensitive But Unclassified information as exempt from\nrelease to the public under the Freedom of Information Act. Law\nEnforcement Sensitive information is a subset of Sensitive But\nUnclassified. The term For Official Use Only is used to identify\ninformation or material that, although unclassified, may not be\nappropriate for public release. DEA Sensitive information is information,\nmedia, or material that must be afforded a higher level of protection than\nSensitive But Unclassified information. According to the DEA, this\nincludes information and materials:\n\n       \xe2\x80\xa2    That are investigative in nature;\n       \xe2\x80\xa2    To which access is restricted by law;\n       \xe2\x80\xa2    That are critical to the operation and mission of the DEA;\n       \xe2\x80\xa2    That, if disclosed, would violate a privileged relationship; and\n\n\n\n\n       87  According to the DEA, its internal documents and DOJCERT and SEPS\nrecords showed that only one incident involving classified information occurred during\nthe review period. Further, of the six incidents cited by the OIG as involving potential\nPII loss, only two were actual or suspected losses of PII. However, the numbers that\nDEA cites are not reflected in the DOJCERT\xe2\x80\x99s Archer Database data, which we used for\neach of the nine components reviewed in our analysis. See the Purpose, Scope, and\nMethodology section of this report for a more detailed discussion of our method for\nderiving our numbers.\n\n\nU.S. Department of Justice                                                            58\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       \xe2\x80\xa2    That relate to any DEA employee\xe2\x80\x99s identification or location if\n            revealing such information would negatively affect an operation\n            or mission.88\n\n       The DEA has adopted the definition of PII that was published in\nOMB Memorandum M-06-19 on July 12, 2006. The DEA broadcast this\ndefinition to all DEA employees in an e-mail from the DEA\xe2\x80\x99s CIO and the\nDEA\xe2\x80\x99s Chief Inspector on October 12, 2006.89 The broadcast e-mail\ndefined PII as:\n\n       any information about an individual maintained by an agency, including,\n       but not limited to, education, financial transactions, medical history,\n       criminal or employment history, and any information which can be used\n       to distinguish or can be traced to an individual's identity, such as their\n       name, social security number, date and place of birth, mother's maiden\n       name, biometric records, etc., including any other personal information\n       which is linked or linkable to an individual.\n\n      The DEA uses the definition of classified information contained in\nExecutive Order 12958, as Amended, Classified National Security\nInformation, dated March 25, 2003.\n\nReporting Procedures\n\n      The DEA outlined its reporting procedures for DEA Sensitive, Law\nEnforcement Sensitive, For Official Use Only, and PII in its October 12,\n2006, e-mail to all DEA employees. These procedures apply to\ninformation on electronic devices such as flash drives, laptops, hard\ndisks, tapes, and CD-ROMs as well as to printed information. These\nprocedures are also contained in the DEA\xe2\x80\x99s eight Incident Response\nPlans, all of which have been updated to reflect the changes DOJCERT\nmade to the November 2006 Incident Response Plan template.90\n\n\n\n\n       88DEA Policy, Control and Decontrol of DEA Sensitive Information,\nREF 99-001, June 2, 1999.\n\n       89  DEA Headquarters broadcast e-mail to all DEA personnel, Personally\nIdentifiable Information (PII) Media Loss Reporting Requirements and Procedures,\nOctober 12, 2006.\n\n        90 One Incident Response Plan covers several IT systems that are part of the\n\nsame IT network. The remaining seven Incident Response Plans cover seven stand-\nalone IT systems. The procedure defined in the Incident Response Plans is the same in\neach of the eight plans.\n\n\nU.S. Department of Justice                                                          59\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c        The DEA\xe2\x80\x99s written procedures for reporting computer security\nincidents involving Sensitive But Unclassified information, both\nelectronic and paper, instruct all employees to report computer security\nincidents immediately to the DEA Headquarters Help Desk after\ndetermining that an incident has occurred.91 The Help Desk is required\nto then notify the Information Security Section. The Information Security\nSection should then notify DOJCERT of incidents via the Archer\nDatabase. If the incident involves PII, the Information Security Section is\nrequired to report the incident to DOJCERT within 1 hour. The DEA\nCommand Center is staffed 24 hours a day, 7 days a week. If an incident\nis reported outside normal business hours, the Help Desk should report\nit to the DEA Command Center instead of the Information Security\nSection, and the DEA Command Center should ensure that DOJCERT is\nnotified within the required timeframe. Chart 13 shows the DEA\xe2\x80\x99s\nprocedures for reporting sensitive information loss, including PII.\n\n   Chart 13: Flowchart of DEA\xe2\x80\x99s Reporting Procedures for Loss of\n                Sensitive Information, Including PII\n\n                                                                    If PII, within\n                            DEA                     Information\n                                                                    1 hour\n  Employee              Headquarters                  Security                               DOJCERT\n                         Help Desk                    Section\n\n\n\n                                                                                     If PII within\n                                                        DEA\n                                    After-hours                                      1 hour\n                                                      Command\n                                                       Center\n\n\n       Incidents involving classified information must be reported\nfollowing the same procedures as outlined in the Incident Response\nPlans. The DEA Incident Response Plans require the DEA to notify the\nDepartment\xe2\x80\x99s Security and Emergency Planning Staff (SEPS) of all\nincidents involving classified information and DOJCERT. Chart 14\nshows the DEA\xe2\x80\x99s procedures for reporting of classified information loss.\n\n\n\n\n        91 However, in interviews with DEA officials we were told that the employee\n\nreporting the loss is to notify his or her direct supervisor and the supervisor is\nresponsible for ensuring that the Help Desk is notified. Further, if a device has been\nreported lost or stolen, the supervisor is required to initiate a search for that device\nwhile the incident is being reported.\n\n\nU.S. Department of Justice                                                                 60\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c Chart 14: Flowchart of the DEA\xe2\x80\x99s Reporting Procedures for Loss of\n                      Classified Information\n\n\n                                                                             DOJCERT\n                          DEA                   Information\n Employee             Headquarters                Security\n                       Help Desk                  Section\n                                                                                 SEPS\n\n\n\n       In the event a device has been stolen, the employee reporting the\ntheft is required to contact the local police and obtain a police report,\nafter reporting the incident to the Help Desk. The DEA should then\nnotify other law enforcement agencies about the loss of DEA information\nif there is a suspicion that such loss could have an impact on those\nagencies. The DEA should also notify the FBI about losses resulting\nfrom the theft of government equipment of significant value.\n\nIndications of Compliance with Reporting Procedures\n\n       DEA officials told us that they believed their employees were\nfollowing the correct reporting procedures. While we did not validate this\nstatement, our analysis of the Archer Database showed that the DEA was\nnot always reporting computer security incidents, including PII, within\nthe required timeframes specified in both the DOJCERT and DEA\nIncident Response Plans. Between December 2005 and November 2006,\nthe DEA reported 75 percent of its computer security incidents to\nDOJCERT within the required timeframes. However, only 17 percent of\nthe PII incidents that occurred on or after July 12, 2006, were reported\nwithin the required 1-hour timeframe.92 Table 10 shows the DEA\xe2\x80\x99s\nreporting in each category.93\n\n\n\n\n       92 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006.\n\n        93 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                          61\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c        Table 10: The DEA\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                             Reported    Reported    Could not\n                     Reporting  Incidents     within       after     compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None             3        N/A          N/A            3\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour            7           2            5           0\nAccess)\nCategory 2\n                      2 hours            0        N/A          N/A          N/A\n(Denial of Service)\nCategory 3\n                        1 day            8           4            2           2\n(Malicious Code)\nCategory 4\n                       1 week            2           1            1           0\n(Improper Usage)\nCategory 5\n                      1 month            3           3            0           0\n(Scans/Probes)\nCategory 6\n                        None             6        N/A          N/A            6\n(Investigation)\nCategory 7\n                      1 month           14          14            0           0\n(Spam)\nTotal                                   43          24            8          11\nPII incidents\noccurring on or        1 hour            6           1            5           0\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\nEnsuring All Incidents Are Reported\n\n      The DEA told us that it has taken a number of steps to ensure\nemployees are aware of procedures for reporting computer security\nincidents. The DEA said that most plans or manuals are available to all\nDEA employees on a common server called Webster. One of the\ndocuments required for employees to review is the DEA\xe2\x80\x99s Interim\nInformation Technology Rules of Behavior that instructs employees to\nimmediately report all security incidents or suspected incidents to the\n\n\n\n\nU.S. Department of Justice                                                           62\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cDEA Help Desk.94 Employees are required to review these Rules of\nBehavior when they are hired and annually thereafter.\n\n        To further reinforce these rules, the Deputy Chief Inspector in the\nOffice of Security Programs sent a memorandum to the DEA Deputy\nAssistant Administrator in the Office of Information Systems advising of\nan amendment to the Rules of Behavior. The memorandum stated that\n\xe2\x80\x9c[a]ll personnel shall immediately report any loss of sensitive information\nor PII to the HELPDESK.\xe2\x80\x9d This requirement was further reinforced in the\nmost recent annual Computer Security Awareness Training, which\nexplained the requirement to protect PII information and report any loss\nof PII information.\n\nNotification to Affected Parties\n\n       The DEA has not developed policies concerning notification to\naffected parties in the event of a loss of PII.\n\nDetermining the Type of Data Lost\n\n       The DEA said that it primarily relies on employee interviews for\nidentifying what was on lost equipment such as laptops and BlackBerry\ndevices. However, under certain circumstances DEA officials told us they\ncan use computer forensics to determine what file was last accessed by\nan employee on a server. Doing so could suggest what information might\nhave been downloaded to a lost laptop.\n\n\n\n\n       94 The Incident Response Plans are also on the Webster server and available to\n\nDEA employees should they need to find out how to report sensitive or PII computer\nsecurity incidents.\n\n\nU.S. Department of Justice                                                         63\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c     APPENDIX V: EOUSA AND USAO REPORTING PROCEDURES\n\n\n      EOUSA provides the 93 United States Attorneys\xe2\x80\x99 Offices (USAO)\nwith administrative management oversight, operational support, policy\ndevelopment, and coordination with other components of the Department\nand other federal agencies. As part of this support, EOUSA provides\npolicy and procedural assistance for implementation of all security\nprograms for the USAOs and ensures compliance with all applicable\nstatutes and Executive and Department Orders.95 The USAOs are\nrequired to report all computer security incidents to EOUSA, and EOUSA\nacts as the point of contact for notifying DOJCERT and the Security and\nEmergency Planning Staff (SEPS). For the purposes of this appendix, we\nuse the acronym EOUSA to refer to EOUSA and the USAOs combined.\n\nIntroduction\n\n      Between December 2005 and November 2006, EOUSA reported\n463 security incidents to DOJCERT, including 142 incidents involving\npotential PII loss and 4 incidents potentially involving classified\ninformation.96 According to an EOUSA official, EOUSA considers a\nreportable computer security incident to be any physical loss of media,\nsystems information, or a breach that results in the loss of data, a\nlaptop, a cell phone, or a wireless device such as a BlackBerry device.\n\n       EOUSA considers its information to be either Limited Official Use\nor classified; however, most of its information is designated as Limited\nOfficial Use. EOUSA relies on the 1982 DOJ Order 2620.7, which\ndefines Limited Official Use as \xe2\x80\x9cunclassified information of a sensitive,\nproprietary or personally private nature which must be protected against\nrelease to unauthorized individuals . . . .\xe2\x80\x9d97 EOUSA uses the term\nLimited Official Use as synonymous with the terms \xe2\x80\x9csensitive\xe2\x80\x9d and\n\xe2\x80\x9cSensitive But Unclassified.\xe2\x80\x9d Limited Official Use information includes\nbut is not limited to \xe2\x80\x9cgrand jury information, informant and witness\ninformation, investigative material, federal tax and tax return\n\n\n       95United States Attorneys\xe2\x80\x99 Manual, Security Programs Management, \xc2\xa7 3-15.010,\nAugust 2004.\n\n       96 As of January 31, 2007, the loss of PII has been confirmed in three incidents.\n\nThe remaining 139 incidents involve potential losses of PII.\n\n       97 DOJ Order 2620.7, Control and Protection of Limited Official Use\n\nInformation, September 1, 1982, p. 1.\n\n\nU.S. Department of Justice                                                           64\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cinformation, Privacy Act information, and information that can cause\nrisk to individuals or could be sold for profit.\xe2\x80\x9d98\n\n        In 2003, EOUSA further defined Limited Official Use information\nto include the term Law Enforcement Sensitive, which developed through\n\xe2\x80\x9ccommon usage and agency culture to identify a specific type of Limited\nOfficial Use or Sensitive information,\xe2\x80\x9d for example, intelligence\ninformation unrelated to terrorism.99\n\n       EOUSA considers PII as a category of sensitive information. While\nEOUSA does not have its own specific definition of PII, it has adopted the\ndefinition of PII published in OMB Memorandum M-06-15 to Department\nand agency heads that defines PII to be \xe2\x80\x9cany information about an\nindividual\xe2\x80\x9d that is \xe2\x80\x9cmaintained by an agency . . . which can be used to\ndistinguish or trace an individual\xe2\x80\x99s identity.\xe2\x80\x9d100\n\n      To define classified information, EOUSA relies on the National\nSecurity Information definition in Executive Order 12958, as Amended,\nClassified National Security Information, dated March 25, 2003.101\n\nReporting Procedures\n\nLimited Official Use and PII Reporting Procedures\n\n      EOUSA has several written policies that contain instructions for\nreporting computer security incidents. General reporting procedures for\nSensitive But Unclassified (Limited Official Use) and PII are contained in\nEOUSA\xe2\x80\x99s Incident Response Plan, dated December 13, 2006. This plan\nis consistent with the DOJCERT Incident Response Plan and has been\nupdated to reflect DOJCERT\xe2\x80\x99s November 2006 revision. Additionally,\nwritten policies and procedures for USAOs are contained in the United\n\n\n\n         United States Attorneys\xe2\x80\x99 Manual, Security Programs Management, \xc2\xa7 3-15.120,\n        98\n\nAugust 2004.\n\n        99EOUSA Memorandum sent via e-mail, Limited Official Use (Sensitive)\nInformation Designation, January 14, 2003.\n\n          OMB Memorandum M-06-15 for Heads of Departments and Agencies,\n        100\n\nSafeguarding Personally Identifiable Information, Clay Johnson III, Acting Director,\nMay 22, 2006.\n\n        101   Executive Order 12958, Classified National Security Information, April 17,\n1995.\n\n\nU.S. Department of Justice                                                             65\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cStates Attorneys\xe2\x80\x99 Manual and the United States Attorneys\xe2\x80\x99 Procedures.102\nHowever, because no one policy defines the entire reporting chain of\ncommand from the field to EOUSA to DOJCERT, our description of\nreporting procedures is taken from a combination of policies, draft\npolicies, and practice as stated by EOUSA officials during interviews.\n\n      According to interviews, the procedures for reporting computer\nsecurity incidents involving Limited Official Use (Sensitive But\nUnclassified) information and PII are as follows: In the USAO districts,\nan employee is required to immediately notify the District Office Security\nManager that a computer security incident had occurred.103 If the\nDistrict Office Security Manager is unreachable, then the employee\nshould report the incident to a Regional Security Specialist for that\nDistrict\xe2\x80\x99s region. The District Office Security Manager or Regional\nSecurity Specialist should then e-mail an incident report to the Assistant\nDirector, Information Systems Security Staff, who should report the\nincident to DOJCERT. If a data loss incident occurs at EOUSA, the\nemployee or the employee\xe2\x80\x99s immediate supervisor should notify the\nAssistant Director, Information Systems Security Staff. If PII is involved,\nthe Assistant Director should notify DOJCERT within 1 hour.\n\n       For incidents that do not involve PII, DOJCERT should be notified\nwithin the timeframes specified in the EOUSA Incident Response Plan.\nFor both EOUSA and the USAOs, when an incident occurs after hours,\nthe employee should contact the EOUSA Security Operations Center.104\nDepending on the severity of the incident, the Assistant Director may\nalso report the incident immediately to the Department\xe2\x80\x99s CIO. An\nexample of a severe incident could be a virus outbreak that hinders the\noperating capability of EOUSA or a particular USAO office. Chart 15\nshows EOUSA\xe2\x80\x99s procedures for reporting the loss of sensitive\ninformation, including PII.\n\n\n\n\n       102The manual contains general policies and procedures relevant to the work of\nthe USAOs and to their relations with the legal divisions, investigative agencies, and\nother components within the Department. United States Attorneys\xe2\x80\x99 Manual, \xc2\xa7 1-1.100,\nSeptember 1997.\n\n       103 An employee may also notify his or her immediate supervisor, who then\nreports the incident to the District Office Security Manager. Each USAO has a District\nOffice Security Manager.\n\n        104 In April 2007, an EOUSA official stated that EOUSA had developed a draft\n\npolicy on after-hours reporting procedures, but that this policy had not yet been issued.\n\n\nU.S. Department of Justice                                                            66\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c Chart 15: Flowchart of EOUSA\xe2\x80\x99s Reporting Procedures for Loss of\n               Sensitive Information, Including PII\n\n\n         Supervisor\n\n\n\n           EOUSA\n          Employee\n                                                                          If PII\n                                                           Assistant      within\n                                     District Office       Director,\n           District                                                       1 hour\n                                       Security           Information                 DOJCERT\n          Employee                                          Systems\n                                       Manager\n                                                         Security Staff\n\n\n\n\n          If unable to\n                                            Regional\n         reach District\n         Office Security                     Security\n            Manager                         Specialist\n\n\n                                             EOUSA                          If PII within\n                           After-hours      Security                        1 hour\n                                           Operations\n                                             Center\n\n\nClassified Reporting Procedures\n\n      For reporting classified information loss, the EOUSA\xe2\x80\x99s Incident\nResponse Plan states that reporting procedures shall be done in\naccordance with the Department\xe2\x80\x99s Security Program Operations Manual.\nAccording to EOUSA officials we interviewed, when an USAO employee\ndiscovers a classified incident, the employee is required to report the\nincident to his or her supervisor and then to the District Office Security\nManager. The District Office Security Manager in turn should report it to\nEOUSA\xe2\x80\x99s Information Security Program Manager. The Information\nSecurity Program Manager then should obtain the facts of the incident\nfrom the District Office Security Manager or EOUSA employee and\nforward the incident report to his supervisor, the Security Programs\nManager, who then forwards the report to SEPS. If a data loss occurred\nat EOUSA Headquarters, the employee should report directly to EOUSA\xe2\x80\x99s\nInformation Security Program Manager. Chart 16 shows EOUSA\xe2\x80\x99s\nprocedures for reporting classified information loss.\n\n\nU.S. Department of Justice                                                            67\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c  Chart 16: Flowchart of EOUSA\xe2\x80\x99s Reporting Procedures for Loss of\n                      Classified Information\n\n\n              EOUSA\n             Employee\n\n                                  District Office\n                                     Security\n                                    Manager                  EOUSA\n              District                                                              EOUSA\n                                                           Information\n             Employe e                                                             Security\n                                                             Security\n                                                                                  P rograms\n                                                             P rogram\n                                                                                  Manager\n                                 Supervisor                  Manager\n\n\n\n\n         If unable to                                                              SEPS\n        reach District                Regional\n        Office Security                Security\n           Manager                    Specialist\n\n\n\n\nIndications of Compliance with Reporting Procedures\n\n       We were told in interviews by EOUSA officials that they believed\ntheir employees were following the reporting procedures. While we did\nnot validate this statement, our analysis of the Archer Database showed\nthat EOUSA was not always reporting computer security incidents,\nincluding PII, within the required timeframes specified in both the\nDOJCERT and EOUSA Incident Response Plan. Between December 2005\nand November 2006, EOUSA reported 80 percent of its computer security\nincidents to DOJCERT within the required timeframes. However, only 16\npercent of the PII incidents that occurred on or after July 12, 2006 were\nreported within the required 1-hour timeframe.105 Table 11 shows\nEOUSA\xe2\x80\x99s reporting in each category.106\n\n\n\n       105 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006.\n\n        106 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                            68\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c         Table 11: EOUSA\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                            Reported     Reported   Could not\n                     Reporting   Incidents   within        after     compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None             6        N/A          N/A           6\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour           25           0           18          7\nAccess)\nCategory 2\n                      2 hours            0        N/A          N/A         N/A\n(Denial of Service)\nCategory 3\n                        1 day          143          66           14         63\n(Malicious Code)\nCategory 4\n                       1 week           94          63            2         29\n(Improper Usage)\nCategory 5\n                      1 month           15           7            0          8\n(Scans/Probes)\nCategory 6\n                        None           179        N/A          N/A         179\n(Investigation)\nCategory 7\n                      1 month            1           0            0          1\n(Spam)\nTotal                                 463         136            34        293\nPII incidents\noccurring on or        1 hour          134          19         101          14\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\n       An EOUSA official we interviewed stated that employees are\nexpected to report computer security incidents immediately. This official\nalso stated that while EOUSA tries to adhere as much as possible to the\n1-hour requirement for reporting incidents to DOJCERT when PII is\ninvolved, the 1-hour requirement was impractical because of the number\nof steps that have to be taken prior to the notification to DOJCERT. The\nofficial stated that it takes time for an employee to recall when the\nincident occurred, what information was on the device, or where the\ndevice might have been lost. It also takes time for a District Office\nSecurity Manager to gather the necessary information and facts\nsurrounding the loss of data or a device before reporting the incident to\nthe EOUSA Information Systems Security Officer.\n\n\n\n\nU.S. Department of Justice                                                           69\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cEnsuring All Incidents Are Reported\n\n       EOUSA said that it primarily relies on training and employee\nintegrity for ensuring that employees report all computer security\nincidents. EOUSA relies on the Department\xe2\x80\x99s annual Computer Security\nAwareness Training and the USAOs\xe2\x80\x99 Justice Consolidated Office\nNetwork II Rules of Behavior to inform employees of their responsibility\nto report such incidents.107 The Rules of Behavior, which employees are\nrequired to read and sign when they begin employment, state that loss of\na Department laptop or personal digital assistant shall be reported\nimmediately to the District Office Security Manager and EOUSA\nAssistant Director, Information Systems Security Staff. The rules also\nrequire any actual or suspected security violations, incidents, vandalism,\nor vulnerabilities be reported to the District Office Security Manager and\nSystems Manager. Any violation of these rules may be cause for\ndisciplinary action. EOUSA also said that it relies on the employee to\nreport any incidents in which electronic devices or sensitive data is lost\nor stolen.\n\nNotification to Affected Parties\n\n       EOUSA has not developed policies concerning notification to\naffected parties in the event of a loss of PII.\n\nDetermining the Type of Data Lost\n\n      EOUSA said that it primarily relies on interviews with employees,\nsupervisors, and systems managers for identifying the information\ncontained on lost or stolen laptops and personal digital assistants.\n\n\n\n\n       107 United States Attorneys\xe2\x80\x99 Offices Justice Consolidated Office Network II,\n\nRules of Behavior, April 13, 2004.\n\n\nU.S. Department of Justice                                                            70\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                APPENDIX VI: FBI REPORTING PROCEDURES\n\n\nIntroduction\n\n       Between December 2005 and November 2006, the FBI reported\n206 computer security incidents to DOJCERT, including 43 incidents\ninvolving potential PII loss and 35 incidents potentially involving\nclassified information.108 The FBI considers all of its information to be\nsensitive \xe2\x80\x93 either Sensitive But Unclassified or classified \xe2\x80\x93 and requires\nits employees to report incidents that result in the loss of classified or\nSensitive But Unclassified information as well as the loss or theft of all\nportable electronic devices or removable storage media, such as laptops,\nBlackBerry devices, hard drives, CDs, and flash drives. Sensitive But\nUnclassified is defined in the FBI\xe2\x80\x99s Security Policy Manual as \xe2\x80\x9cinformation\nthat requires protection due to the risk or magnitude of loss or harm that\ncould result from inadvertent or deliberate disclosure, modification\nand/or destruction of the information.\xe2\x80\x9d The FBI Security Policy Manual\nstates that records requiring protection under the Privacy Act are a\nsubset of Sensitive But Unclassified information.109 The FBI does not\ncurrently have a separate definition for PII. The FBI uses the definition\nof classified information contained in Executive Order 12958, as\nAmended, Classified National Security Information, dated March 25,\n2003.\n\nReporting Procedures\n\n      Within the FBI, computer security incidents are reported to two\nseparate offices, but only one of those offices is required to report\nincidents to DOJCERT. One office\xe2\x80\x99s procedure for reporting computer\nsecurity is defined in an FBI policy issued by the Security Division called\nthe Security Policy Manual.110 The other office\xe2\x80\x99s procedure is defined in\nthe FBI\xe2\x80\x99s four Incident Response Plans.111 Both offices should be notified\n\n\n\n       108 As of January 31, 2007, the loss of PII has been confirmed in 1 of the 43\nincidents. The remaining 42 incidents involve potential losses of PII.\n\n       109   5 U.S.C. \xc2\xa7 552a.\n\n       110   FBI Security Policy Manual, POL05-0001-SecD, revised April 3, 2006.\n\n       111 The procedure defined in the Incident Response Plans is the same in each of\n\nthe four plans.\n\n\nU.S. Department of Justice                                                             71\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cas soon as an employee informs both his or her supervisor and the Chief\nSecurity Officer that a computer security incident has occurred.112\n\nProcedures Defined in FBI Security Policy\n\n       The Security Policy Manual, issued by the Security Division,\nrequires FBI employees to report potential computer security incidents to\nthe Security Compliance Unit via a web-based form.113 The form is\navailable to all employees on the FBI intranet and may be completed by\neither the employee who discovered the incident, the employee\xe2\x80\x99s\nsupervisor, the Division\xe2\x80\x99s Chief Security Officer, or any other individual\nwith direct knowledge of an incident. Employees must identify the type\nof security incident that occurred, choosing from five categories provided,\nand answer additional questions that are specific to that category of\nsecurity.114 For example, incidents identified as \xe2\x80\x9cInformation Technology\nSecurity\xe2\x80\x9d require employees to describe the circumstances surrounding\nthe loss of electronic information or the loss of a portable electronic\ndevice. Employees must also provide the serial number and\nclassification level of a lost portable electronic device.\n\n      The Security Compliance Unit said that it tracks all reported\nsecurity incidents in an Access database and provide monthly reports to\nthe Section Chief of the Security Operations Section in FBI\nHeadquarters. The Security Compliance Unit also said that it generates\nquarterly reports of security incidents, by type of incident, to keep the\nCareer Services Management Unit (which develops FBI training) and the\nPolicy Unit (which develops FBI policy) aware of areas of security that\nmay need more attention.\n\n\n\n\n       112Each FBI field division and each division within FBI Headquarters has a\nChief Security Officer.\n\n       113 Subsequent to FBI Special Agent Robert Hanssen\xe2\x80\x99s arrest for espionage, the\nCommission for the Review of FBI Security Programs was formed. As a result of a\nrecommendation from the Commission, the FBI established the Security Compliance\nUnit at FBI Headquarters in 2003 to coordinate and oversee all information and\nphysical security compliance activity and violations. FBI employees, contractors, and\ntask force members are required to report all types of security incidents, including data\nloss incidents and losses of PII, to the Security Compliance Unit.\n\n      114 The five categories are Information Technology Security, Technical Security,\n\nPersonnel Security, Physical Security, and Control/Loss of Documents.\n\n\nU.S. Department of Justice                                                            72\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cProcedures Defined in Incident Response Plans\n\n       The FBI maintains four Incident Response Plans that conform to\nthe DOJCERT template to cover the following four types of systems: the\nsystem that has been classified Top Secret, the systems that have been\nclassified Secret, the unclassified systems, and the systems operated by\nthe Criminal Justice Information Services Division. All four plans have\nbeen updated to reflect the changes DOJCERT made to the November\n2006 template and identify the seven categories of incidents that should\nbe reported to DOJCERT within specified timeframes.115\n\n       The Division\xe2\x80\x99s Chief Security Officer is required to review each\nreported incident and determine if the incident fits into one of the\ncategories identified in the Incident Response Plans.116 If it does, the\ndivision\xe2\x80\x99s Chief Security Officer is required to contact the FBI\xe2\x80\x99s\nEnterprise Security Operations Center. After-hours reporting procedures\nare the same as normal business hours procedures because the\nEnterprise Security Operations Center is staffed 24 hours a day, 7 days a\nweek. The center should implement the procedures in the Incident\nResponse Plans and notify DOJCERT via the Archer Database. Incidents\nreported to the center should also be tracked in the FBI\xe2\x80\x99s Security\nInformation Management System. Quarterly reports generated from this\nsystem are provided to the FBI\xe2\x80\x99s CIO. Chart 17 shows the FBI\xe2\x80\x99s\nprocedures for reporting all computer security incidents, including those\ninvolving sensitive, PII, and classified information.\n\n\n\n\n       115  Incidents in these seven categories can be caused by either internal sources\n(threats that originate inside the FBI) or external sources (threats that originate outside\nthe FBI). Threats caused by internal sources are reported to both the Security\nCompliance Unit and the Enterprise Security Operations Center. Threats caused by\nexternal sources are reported only to the Enterprise Security Operations Center.\n\n        116 Some FBI divisions have an Information Systems Security Officer who makes\n\nthis initial determination. If this is the case, the Information Systems Security Officer\nnotifies both the division\xe2\x80\x99s Chief Security Officer and DOJCERT. However, for\nbudgetary reasons, not all divisions have an Information Systems Security Officer.\n\n\nU.S. Department of Justice                                                              73\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c  Chart 17: Flowchart of the FBI\xe2\x80\x99s Procedures for Reporting All\nComputer Security Incidents, Including Sensitive, PII, and Classified\n           (Includes After-Hours Reporting Procedures)\n\n\n\n                     Employee's\n                    supervisor, or       Security\n  Employee            Division\n                                                         All incidents\n                                      Compliance Unit    entered into\n                   Security Officer\n                                                        Access database\n\n\n\n\n                                                                      If PII within\n                      Division           If incident    Enterprise\n                   Security Officer     conforms to                   1 hour\n                                                         Security\n                    review s each       certain IRP     Operations\n                                                                                      DOJCERT\n                      incident            categories      Center\n\n\n\n\n       FBI officials told us that the Security Compliance Unit and the\nEnterprise Security Operations Center are supposed to routinely discuss\ninformation security incidents with each other and the actions each\nsection will take to respond to those incidents. However, according one\nofficial, these discussions do not always occur within the timeframes\nestablished in the Incident Response Plans. The Security Compliance\nUnit is not involved in the communications between the center and\nDOJCERT.\n\nIndications of Compliance with Reporting Procedures\n\nLost Electronic Device Reporting Procedures\n\n       The FBI was not in full compliance with DOJCERT\xe2\x80\x99s reporting\nrequirements for lost electronic devices. The requirements in the\nSecurity Policy Manual (issued by the FBI Security Division) for reporting\nlosses of electronic devices are not consistent with the requirements in\nthe FBI\xe2\x80\x99s Incident Response Plans (issued by the Enterprise Security\nOperations Center). In reviewing the information the FBI provided to us\nand the information we analyzed from the Archer Database, we noticed a\ndiscrepancy between the number of lost electronic devices that had been\nreported to the Security Compliance Unit and the number of lost\nelectronic devices that had been reported to the Enterprise Security\nOperations Center (who is required to report all computer security\nincidents to DOJCERT).\n\n\nU.S. Department of Justice                                                      74\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       For the period from December 2005 through November 2006, FBI\nemployees reported 35 lost or stolen laptops to the Security Compliance\nUnit, but reported only 7 lost or stolen laptops to the Enterprise Security\nOperations Center, and therefore to DOJCERT.117 We asked the FBI to\nexplain the discrepancy, and officials stated that, prior to the release of\nOMB Memorandum M-06-16 in June 2006, the FBI did not realize that\nall losses of electronic devices were considered reportable incidents as\ndefined by DOJCERT\xe2\x80\x99s Incident Response Plan template. Previously, the\nFBI relied on Chapter 22 of its Security Policy Manual, dated April 2006,\nwhich addresses the reporting procedures for loss of portable electronic\ndevices. This policy requires FBI employees to report security violations\ninvolving portable electronic devices to the Security Compliance Unit and\ndoes not mention the Enterprise Security Operations Center.\n\n       Additionally, we noted that although the FBI stated it did not\nrealize that all losses of electronic devices were considered reportable\nincidents as defined by DOJCERT\xe2\x80\x99s Incident Response Plan template, the\nFBI\xe2\x80\x99s January 2006 Incident Response Plan for unclassified systems\nrequired FBI IT security staff to report thefts of computer assets to the\nEnterprise Security Operations Center.\n\n      The OIG recently released an audit that found deficiencies in the\nFBI\xe2\x80\x99s procedures for reporting the loss of laptops, including failure to\nreport those incidents in a timely manner.118 In response to a\nrecommendation in that audit, the FBI agreed to revise its policies and to\ndevelop additional guidance for reporting incidents to DOJCERT.\n\nClassified Reporting Procedures\n\n      The FBI was not following the chain-of-command reporting\nprocedures for reporting of classified computer security incidents.\nBetween December 2005 and November 2006, FBI employees reported\n\n\n       117   One of the laptops that was reported to the Security Compliance Unit was a\nclassified laptop.\n\n       FBI officials told us that 35 lost or stolen laptops were reported to the Security\nCompliance Unit. We reviewed data from DOJCERT\xe2\x80\x99s Archer Database and determined\nthat seven lost or stolen laptops had been reported to the Enterprise Security\nOperations Center and to DOJCERT. We did not verify the information from either of\nthese sources.\n\n      118 OIG, The Federal Bureau of Investigation\xe2\x80\x99s Control Over Weapons and Laptop\n\nComputers Follow-Up Audit, Audit Report 07-18, February 2007.\n\n\nU.S. Department of Justice                                                            75\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c107 classified computer security incidents to the Security Compliance\nUnit. Our analysis of data from the Archer Database showed that the\nEnterprise Security Operations Center reported 35 classified computer\nsecurity incidents to DOJCERT.119 However, the Department\xe2\x80\x99s Security\nand Emergency Planning Staff (SEPS) did not receive any reports of\nclassified computer security incidents from the FBI during that same\ntime period.\n\n      The Department\xe2\x80\x99s Definition of a Reportable Classified Incident. The\nDepartment\xe2\x80\x99s Security Program Operating Manual (SPOM) requires all\ncomponents to report \xe2\x80\x9cany incident involving a possible loss,\ncompromise, or suspected compromise of classified information\xe2\x80\x9d\nimmediately to the Department Security Officer, who is the Director of\nSEPS.120 The SPOM identifies nine categories of reportable classified\nincidents meeting this definition including:\n\n             \xe2\x80\xa2 Any incident involving a possible loss, compromise, or suspected\n               compromise of classified information;\n             \xe2\x80\xa2 Efforts by any individual . . . to obtain illegal or unauthorized\n               access to classified information or to compromise an employee\xe2\x80\x99s\n               authorized access;\n             \xe2\x80\xa2 Any emergency situation that renders a facility incapable of\n               safeguarding classified material;\n             \xe2\x80\xa2 A delay of more than 48 hours in the delivery of classified\n               material by a commercial carrier;\n             \xe2\x80\xa2 Any event involving . . . IT systems, equipment or media which\n               may result in disclosure of classified information to unauthorized\n               individuals, or that results in unauthorized modification or\n               destruction of system data, loss of computer system processing\n               capability, or loss or theft of computer system media;\n             \xe2\x80\xa2 Any evidence of tampering with a shipment, delivery, or mailing\n               containing classified information;\n             \xe2\x80\xa2 Any shipment or transmission of classified information that is\n               received by other than an approved method prescribed by this\n               manual;\n             \xe2\x80\xa2 Any incidents that indicate an employee knowingly or willfully\n               violated security policies established for the protection of\n               classified or sensitive information; and\n\n\n\n\n       119We did not conduct a case file review to determine whether the 35 classified\ncomputer security incidents reported to the Enterprise Security Operations Center were\namong the 107 classified computer security incidents reported to the Security\nCompliance Unit.\n\n       120 Security Program Operating Manual, \xc2\xa7 1-300. The Security Program\n\nOperating Manual is written by SEPS and applies to the entire Department.\n\n\nU.S. Department of Justice                                                          76\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c              \xe2\x80\xa2 Any information that raises doubt as to whether another\n                employee\xe2\x80\x99s continued eligibility for access to classified\n                information is clearly consistent with the national security.121\n\n      Classified Incidents Reported to the Security Compliance Unit. The\nSecurity Compliance Unit utilizes the FBI\xe2\x80\x99s Security Policy Manual to\ndefine a classified incident as \xe2\x80\x9ca failure to safeguard FBI classified and\nsensitive material according to FBI policies, Executive Order 12958, and\nDirector of National Intelligence Directives.\xe2\x80\x9d122 The FBI\xe2\x80\x99s Security Policy\nManual identifies eight categories of reportable classified incidents\nmeeting this definition including:\n\n              \xe2\x80\xa2 Any loss, compromise, or suspected compromise of classified\n                information;\n              \xe2\x80\xa2 Efforts by a person to obtain unauthorized access to classified\n                information, or to compromise an employee with access;\n              \xe2\x80\xa2 Any emergency situation that renders a facility incapable of\n                safeguarding classified materials;\n              \xe2\x80\xa2 A delay of more than 48 hours in the delivery of classified\n                materials by a commercial carrier;\n              \xe2\x80\xa2 Any event involving computer or telecommunications equipment\n                or media which may result in disclosure of classified information\n                to unauthorized persons, or that results in unauthorized\n                modification or destruction of system data, loss of computer\n                system processing capability, or loss or theft of computer system\n                media;\n              \xe2\x80\xa2 Any evidence of tampering with a shipment, delivery or mailing\n                containing classified information;\n              \xe2\x80\xa2 Any shipment or transmission of classified information that is\n                received by other than an approved method; and\n              \xe2\x80\xa2 Any incidents that indicate an employee knowingly or willfully\n                violated security policies.123\n\n       We noted that the Security Policy Manual\xe2\x80\x99s definition of reportable\nclassified incidents was nearly identical to the SPOM\xe2\x80\x99s definition of\nreportable classified incidents. Even though the SPOM requires\ncomponents to report classified incidents to SEPS, the FBI stated that it\nwas unaware of any FBI policy requiring it to notify SEPS. However, the\nFBI also directed us to another passage from its Security Policy Manual,\nwhich requires the FBI to notify the Director of National Intelligence of:\n\n\n\n       121   Security Program Operating Manual, \xc2\xa7 1-302.\n\n       122   FBI Security Policy Manual, \xc2\xa7 17.3.\n\n       123   FBI Security Policy Manual, \xc2\xa7 17.4.\n\n\nU.S. Department of Justice                                                          77\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c             a significant security violation or a compromise of intelligence\n             information that is either extensive in scope, indicates pervasive\n             breach of security procedures, or is otherwise likely to have a\n             serious effect on national security interests. This notification is to\n             be made through the AD [Assistant Director], Security Division, to\n             the Department of Justice Security Officer.124\n\n       The OIG recognizes that not all classified incidents will meet the\n\xe2\x80\x9csignificant\xe2\x80\x9d standard that requires reporting to the Director of National\nIntelligence, as outlined in \xc2\xa7 17.10 of the Security Policy Manual.\nHowever, because the FBI\xe2\x80\x99s general definition of a classified security\nincident, found in \xc2\xa7\xc2\xa7 17.3 and 17.4 of the Security Policy Manual,\nmatches the Department\xe2\x80\x99s definition, the FBI should be reporting all of\nthese incidents to SEPS as required by the SPOM. As noted above, the\nSecurity Compliance Unit\xe2\x80\x99s role is to track all reported security incidents\nin a database, and provide monthly reports to the Section Chief of the\nSecurity Operations Section in FBI Headquarters. FBI policy does not\nrequire the Security Compliance Unit to report any computer security\nincident to any entity outside the FBI, including SEPS.\n\n      Classified Incidents Reported to the Enterprise Security Operations\nCenter. The Enterprise Security Operations Center defined a classified\nincident as \xe2\x80\x9can event where an individual gains logical or physical access\nwithout permission or a \xe2\x80\x98need to know\xe2\x80\x99 to a network, system, application,\ndata, or other resource that contains National Security Information,\xe2\x80\x9d and\nstated that the loss of an electronic device or media (such as a laptop,\nCD, or flash drive) or the placement of information \xe2\x80\x9con a lower level\nmedium than it is intended for\xe2\x80\x9d also constituted a classified incident.125\nAs noted above, the Enterprise Security Operations Center is required to\nreport computer security incidents to DOJCERT.\n\n       The FBI stated that the Enterprise Security Operations Center had\nmistakenly believed that DOJCERT was a subcomponent of SEPS. As a\nresult, the FBI believed that reporting classified computer security\n\n\n\n       124 See FBI Security Policy Manual, \xc2\xa7 17.10. The FBI also told us that computer\nsecurity incidents meeting this standard are defined as \xe2\x80\x9closs or compromise of\ninformation storage media or equipment containing intelligence information of such\nquantity or sensitivity as to potentially jeopardize intelligence activities, sources or\nmethods.\xe2\x80\x9d\n\n         125 The placement of information \xe2\x80\x9con a lower level medium than it is intended\n\nfor\xe2\x80\x9d is commonly referred to as a classified spill.\n\n\n\n\nU.S. Department of Justice                                                            78\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cincidents to DOJCERT constituted reporting them to SEPS.126 Between\nDecember 2005 and November 2006, the Enterprise Security Operations\nCenter reported 35 classified computer security incidents to DOJCERT.127\n\n      While this practice does not exactly match the requirements set\nout in the SPOM, DOJCERT provides SEPS the opportunity to review all\ndata loss incidents, including classified incidents, via e-mail notification.\nWe are more concerned that at least 72 classified computer security\nincidents which were reported to the Security Compliance Unit by FBI\nemployees between December 2005 and November 2006 were not\nreported to either DOJCERT or SEPS.128\n\nTimeliness of Reporting.\n\n      Our analysis of the Archer Database showed that the FBI was not\nalways reporting computer security incidents, including PII, within the\nrequired timeframes specified in both the DOJCERT and FBI Incident\nResponse Plans. Between December 2005 and November 2006, the FBI\nreported only 45 percent of its computer security incidents to DOJCERT\nwithin the required timeframes. Further, none of the PII incidents that\noccurred on or after July 12, 2006 for which we could determine\ntimeliness were reported within the required 1-hour timeframe.129\nTable 12 shows the FBI\xe2\x80\x99s reporting in each category.130\n\n       126 As noted earlier, both DOJCERT and SEPS are part of the Justice\nManagement Division. However, the offices are in separate chains of command.\nDOJCERT reports to the Department\xe2\x80\x99s CIO, who reports to the Assistant Attorney\nGeneral for Administration. SEPS reports to the Deputy Assistant Attorney General for\nHuman Resources/Administration, who also reports to the Assistant Attorney General\nfor Administration. See JMD\xe2\x80\x99s organizational chart at\nwww.usdoj.gov/jmd/orginfo/chart.htm\n\n       127 The FBI stated in a February 2007 e-mail sent to the OIG that it now\n\nunderstands that SEPS and DOJCERT have different, but complimentary, missions and\nthat the FBI should make overlapping reports of classified computer security incidents.\n\n       128   We did not conduct a case file review to determine whether or not the 35\nclassified, IT-related security incidents reported to the Enterprise Security Operations\nCenter were among the 107 classified, IT-related security incidents reported to the\nSecurity Compliance Unit.\n\n       129 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006. Additionally, we could not analyze one\nincident that occurred after OMB established the 1-hour timeframe because there was\nno information in the Archer Database to indicate when DOJCERT received the report.\n\n       130 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\n                                                                              (Cont\xe2\x80\x99d.)\n\nU.S. Department of Justice                                                             79\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c        Table 12: The FBI\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                             Reported    Reported    Could not\n                     Reporting   Incidents    within       after     compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None              0        N/A         N/A          N/A\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour           15            2          13           0\nAccess)\nCategory 2\n                      2 hours             1           0           1           0\n(Denial of Service)\nCategory 3\n                        1 day           42           14          28           0\n(Malicious Code)\nCategory 4\n                       1 week          113           50          57           6\n(Improper Usage)\nCategory 5\n                      1 month           21           18           3           0\n(Scans/Probes)\nCategory 6\n                        None            13         N/A         N/A           13\n(Investigation)\nCategory 7\n                      1 month             1           1           0           0\n(Spam)\nTotal                                  206          85         102           19\nPII incidents\noccurring on or        1 hour           26            0          25           1\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\n       The FBI is aware of the Department requirement to report all\nincidents involving PII loss within 1 hour and has incorporated that\nrequirement into its four Incident Response Plans. However, one FBI\nofficial stated that the Department\xe2\x80\x99s guidance concerning PII \xe2\x80\x9cis clear as\nmud.\xe2\x80\x9d The FBI has raised concerns about this timeframe with the\nDepartment\xe2\x80\x99s CIO and asked for clarification. Specifically, the FBI told\nus they asked the Department to more clearly define the action that\nshould trigger the 1-hour timeframe. An Assistant Special Agent in\nCharge assigned to a large field division told us that the 1-hour\n\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                           80\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ctimeframe is \xe2\x80\x9cvery difficult, if not impossible, to meet on a practical\nbasis\xe2\x80\x9d and further noted that his particular office is so large that \xe2\x80\x9cI\ncouldn\xe2\x80\x99t find someone within 1 hour if my life depended on it.\xe2\x80\x9d The FBI\nwould like the Department to work with the components to develop\ncriteria and thresholds for reporting incidents involving PII loss so that\nthe components can better determine which incidents may be serious\nenough to warrant reporting.\n\n       While the FBI is aware of the Department requirement to report all\npotential losses of PII within 1 hour, not all FBI employees had been\nnotified of the requirement as of the end of 2006. For example, one\nAssistant Special Agent in Charge stated that, at the end of 2006,\nknowledge of the requirement was inconsistent in his field division, with\nemployees in the sections that handle large amounts of PII, such as the\nWhite Collar Crime Section, aware of the requirement and employees in\nother sections, such as the Counterterrorism Section, not likely to be\naware. The Assistant Special Agent in Charge also expressed concern\nthat employees might not realize the urgency of the situation when an\nincident involving PII loss occurs.\n\nEnsuring All Incidents Are Reported\n\n       The FBI said that it conducts training to ensure that employees are\naware of the requirement to report computer security incidents,\nincluding those involving PII loss. The FBI said that it administers the\nDepartment\xe2\x80\x99s annual Computer Security Awareness Training to remind\nemployees of the requirement to report computer security incidents. The\nrequirement is also included in the Information Technology Rules of\nBehavior, which employees are required to sign. The Computer Security\nAwareness Training has been updated to include the requirement that\nlosses of PII be reported within 1 hour. FBI employees were scheduled to\ntake this annual training between January 2007 and April 2007. An\nofficial in the FBI\xe2\x80\x99s Security Division noted that the division always sees\na spike in reporting incidents immediately after employees complete their\nannual training. All FBI staff with relevant responsibilities interviewed\nagreed that, beyond conducting training to ensure that all employees are\naware of the requirement to report security incidents, there is no way to\nguarantee that every incident is properly reported. Employees are also\nreminded that failure to report a security incident is, in itself, a security\nincident. However, one Assistant Special Agent in Charge noted that\nemployees may delay reporting a lost or stolen device because they fear\nthe possibility of punishment. In addition to training, FBI staff identified\nthe annual property inventory as a method of verifying whether all lost or\nstolen electronic devices were reported.\n\n\nU.S. Department of Justice                                                81\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cNotification to Affected Parties\n\n       The FBI has not developed policies concerning notification to\naffected parties in the event of a loss of PII.\n\nDetermining the Type of Data Lost\n\n       The FBI said that it determines the type of data lost through\nwritten questions and employee interviews. The Security Compliance\nUnit is supposed to review the initial report of the incident and send a\nseries of questions to the Chief Security Officer. The Security\nCompliance Unit said that it began specifically asking about the loss of\nPII after that type of loss became an important issue for the government,\nalthough no written FBI policy requires the unit to obtain that\ninformation. Using the questions provided by the Security Compliance\nUnit, the Chief Security Officer is supposed to interview the employee\nreporting the loss to determine what type of information the device may\nhave contained. Based on the employee\xe2\x80\x99s response, the Chief Security\nOfficer should facilitate communication between the employee, the\nemployee\xe2\x80\x99s supervisor, and the appropriate division in FBI Headquarters\nto conduct a damage assessment of the incident.131 In addition, the\nEnterprise Security Operations Center can review server log-in records\nand e-mail servers to determine when an employee last logged in and\nwhich files the employee accessed during that time.\n\n\n\n\n        131 For example, if an employee states that a stolen laptop contained\n\ninformation related to a violent crime case still under investigation, the Chief Security\nOfficer will help the employee and the supervisor arrange a meeting with someone from\nthe Violent Crimes Unit at FBI Headquarters to determine if the theft of the laptop could\nhave an impact on the ongoing investigation.\n\n\nU.S. Department of Justice                                                            82\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c               APPENDIX VII: JMD REPORTING PROCEDURES\n\n\n       DOJCERT is located within the Office of the CIO, which is a\nsubcomponent of the Justice Management Division (JMD). For purposes\nof incident reporting, the subcomponents of JMD are treated as separate\ncomponents. Each subcomponent reports its own incidents and\nmaintains its own Incident Response Plan. The following section is\nbased on interviews with and documents obtained from two\nsubcomponents of JMD: Personnel and the Security and Emergency\nPlanning Staff (SEPS).\n\nIntroduction\n\n       Between December 2005 and November 2006, JMD reported\n402 computer security incidents to DOJCERT, including 18 incidents\ninvolving PII and 5 incidents potentially involving classified\ninformation.132 Both Personnel and SEPS consider any loss of PII,\nincluding the loss of any electronic device or removable media containing\nPII, to be reportable computer security incidents.\n\n      JMD officials we interviewed stated that their subcomponents of\nJMD follow the Department\xe2\x80\x99s definition of sensitive information and\nconsider all of their information to be sensitive. In the Security Program\nOperating Manual, the Department defines sensitive information as:\n\n             any information, the loss, misuse, modification of, or unauthorized\n             access to, could affect the national interest, law enforcement\n             activities, the conduct of Federal programs, or the privacy to which\n             individuals are entitled under Section 552a of Title 5, U.S. Code, but\n             that has not been specifically authorized under criteria established\n             by an executive order or an act of Congress to be kept classified in\n             the interest of national defense or foreign policy.133\n\n\n\n\n       132  Personnel reported 13 incidents to DOJCERT between December 2005 and\nNovember 2006, including 1 incident involving potential loss of PII, and no incidents\ninvolving classified information. SEPS reported four incidents to DOJCERT between\nDecember 2005 and November 2006, none of which involved either PII or classified\ninformation. All of the incidents reported by SEPS were instances of SEPS employees\nreceiving spam e-mails.\n\n        133 The Security Program Operating Manual is written by SEPS and applies to the\n\nentire Department.\n\n\nU.S. Department of Justice                                                            83\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      The Personnel division considers PII to be synonymous with\ninformation that is protected by the Privacy Act.134 However, SEPS uses\nOMB\xe2\x80\x99s definition of PII. Personnel does not handle classified information,\nwhile SEPS does. SEPS uses the definition of classified information\ncontained in Executive Order 12958, as Amended, Classified National\nSecurity Information, dated March 25, 2003.\n\nReporting Procedures\n\n       JMD employees are required to contact the individual who handles\nsecurity issues in their subcomponent to report any computer security\nincidents. In Personnel, the Avue User Rules of Behavior require all\nemployees to report all computer security incidents to the Avue\nAdministrator, who is required to notify the Personnel Information\nSystems Security Officer.135 Personnel\xe2\x80\x99s Information Systems Security\nOfficer should notify DOJCERT, via the Archer Database, and also\nshould ensure that the Personnel staff follows the procedures outlined in\nPersonnel\xe2\x80\x99s Incident Response Plan. Personnel staff may also notify their\nsupervisors of computer security incidents, although no policy\nspecifically requires them to do so. Personnel has not developed any\nwritten procedures for reporting computer security incidents after hours.\n\n      SEPS employees are not provided with written procedures\ninstructing them on how to report computer security incidents through\nthe SEPS reporting chain of command. We were told in interviews that,\nin practice, employees report computer security incidents to their\nsupervisors, who forward the report to the staff of the Technical Security\nSection.136 The Technical Security Section notifies DOJCERT, via the\nArcher Database, and also ensures that SEPS follows the procedures\noutlined in its Incident Response Plan. For classified incidents, SEPS\xe2\x80\x99s\nemployees said that in practice they report a suspected loss to their\nsupervisor. The supervisor then reports the incident to the Technical\nSecurity Section who forwards the report to the Department Security\nOfficer (Director of SEPS). Chart 18 shows Personnel\xe2\x80\x99s and SEPS\xe2\x80\x99s\nprocedures for reporting all computer security incidents, including those\ninvolving sensitive, PII, and classified information.\n\n\n       134   5 U.S.C. \xc2\xa7 552a.\n\n       135   Avue is the system the Department uses for online job applications.\n\n       136 SEPS is divided into 10 different sections, each of which handles a different\n\naspect of security. The Technical Security Section handles the security of technology\nused to store and transmit classified information.\n\n\nU.S. Department of Justice                                                            84\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c           Chart 18: Flowchart of Personnel\xe2\x80\x99s and SEPS\xe2\x80\x99s\n      Procedures for Reporting All Computer Security Incidents,\n         Including Sensitive, PII, and Classified Information\n\n                                                                If PII within\n                                               P ersonnel       1 hour\n   Pe rsonne l            AVUE            Information Systems                   DOJCERT\n   Employe e           Administrator        Security Officer\n\n\n                                                                              If PII within\n                                                                  Sensitive   1 hour\n                                                                  information            DOJCERT\n                                               T echnical\n     SEPS\n                        Supervisor              Security\n    employee\n                                                 Section\n                                                                  Classified           Department\n                                                                  information        Security Officer\n                                                                                    (Director of SEPS)\n\n\n\n       Personnel and SEPS have updated the Incident Response Plans\nthey maintain to reflect the changes DOJCERT made to the November\n2006 Incident Response Plan template. The Incident Response Plans\nidentify the seven categories of incidents that should be reported to\nDOJCERT within specified timeframes.\n\n      Both Personnel and SEPS use the Archer Database to track\nincidents that have been reported to DOJCERT.\n\nIndications of Compliance with Reporting Procedures\n\n       For the two JMD subcomponents we reviewed, subcomponent\nofficials told us that they believed employees were following the correct\nreporting procedures. While we did not validate this statement, we did\nanalyze data from the Archer Database to determine if all of the\nsubcomponents of JMD were reporting incidents to DOJCERT in a timely\nmanner.137 Our analysis showed that JMD was not always reporting\ncomputer security incidents, including PII, within the required\ntimeframes specified in both the DOJCERT and JMD Incident Response\nPlans. Between December 2005 and November 2006, JMD reported\n84 percent of its computer security incidents to DOJCERT within the\nrequired timeframes. However, only 14 percent of PII incidents that\noccurred on or after July 12, 2006 were reported within the required\n\n      137 The Archer Database included incidents that were reported by 25 different\n\nsubcomponents of JMD.\n\n\nU.S. Department of Justice                                                            85\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c1-hour timeframe.138 Personnel reported one PII incident after July 12,\n2006, but did not report it in the required 1-hour timeframe. SEPS did\nnot report any PII incidents. Table 13 shows JMD\xe2\x80\x99s overall reporting in\neach category.139\n\n          Table 13: JMD\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                            Reported     Reported   Could not\n                     Reporting   Incidents    within       after     compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None            11         N/A         N/A          11\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour           17           3           13          1\nAccess)\nCategory 2\n                      2 hours            1           1            0          0\n(Denial of Service)\nCategory 3\n                        1 day           42          16           15         11\n(Malicious Code)\nCategory 4\n                       1 week            6           2            4          0\n(Improper Usage)\nCategory 5\n                      1 month           99          84           10          5\n(Scans/Probes)\nCategory 6\n                        None            21         N/A         N/A          21\n(Investigation)\nCategory 7\n                      1 month          205         165            8         32\n(Spam)\nTotal                                  402         271           50         81\nPII incidents\noccurring on or        1 hour           16           2           12          2\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\n\n       138 We did not analyze incidents for timeliness that occurred before OMB\nestablished the 1-hour timeframe in July 2006. We could not analyze two incidents\nthat occurred after OMB established the 1-hour timeframe because there was no\ninformation in the Archer Database to indicate when DOJCERT received the reports.\n\n        139 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                           86\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cEnsuring All Incidents Are Reported\n\n      JMD said that it relies primarily on training as its method for\nensuring employees are aware of the requirement to report computer\nsecurity incidents, including those involving PII loss. An official on the\nPersonnel staff described the Department\xe2\x80\x99s annual Computer Security\nAwareness Training as \xe2\x80\x9cthe number one vehicle\xe2\x80\x9d for emphasizing the\nimportance of security to Personnel staff and for reinforcing the reporting\nrequirements that are outlined in the Avue User Rules of Behavior. JMD\nsaid that personnel staff members receive verbal briefings on the\nprocedures for reporting computer security incidents when they are given\nthe equipment necessary to use Justice Secure Remote Access and also\nreceive a wallet card summarizing those reporting procedures. Lost\nlaptops or BlackBerry devices can be identified through Personnel\xe2\x80\x99s\nannual inventory process. Personnel\xe2\x80\x99s Property Officer told us that the\nannual property inventory has not uncovered any problems with lost or\nstolen electronic devices.\n\n      A Security Specialist in the SEPS Technical Security Section noted\nthat there is no failsafe method for ensuring that all incidents are\nreported but stated that explaining the reporting procedures and\nencouraging employees to make reports was an important method for\nensuring that incidents are properly reported. SEPS\xe2\x80\x99s Executive Officer\ntold us that the annual property inventory has not uncovered any lost or\nstolen electronic devices.\n\nNotification to Affected Parties\n\n      JMD has not developed policies concerning notification to affected\nparties in the event of a loss of PII.\n\nDetermining the Type of Data Lost\n\n       JMD said that it generally determines the type of data loss through\nemployee interviews. In Personnel, the Information Systems Security\nOfficer is required to interview both the employee reporting the loss and\nthe employee\xe2\x80\x99s supervisor to determine how the employee used the device\nand what data it may have contained. In addition, in August 2006\nPersonnel modified its Avue User Rules of Behavior to require employees\nto obtain written permission from their supervisors before downloading\nPII to the hard drive of a laptop.\n\n\n\n\nU.S. Department of Justice                                              87\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       SEPS does not have any written procedures for determining what\ndata a lost or stolen electronic device may have contained, and SEPS\nofficials stated that only one laptop has been stolen in the past 15 years.\nA member of SEPS\xe2\x80\x99s Technical Security Section stated that if a lost or\nstolen laptop were to be reported, the Technical Security Section would\nspeak with the employee reporting the loss and his or her supervisor to\ndetermine what information the laptop may have contained. SEPS did\nnot report any lost or stolen electronic devices between December 2005\nand November 2006.\n\n\n\n\nU.S. Department of Justice                                               88\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c               APPENDIX VIII: TAX DIVISION PROCEDURES\n\n\nIntroduction\n\n       Between December 2005 and November 2006, the Tax Division\nreported 22 computer security incidents to DOJCERT, none of which\ninvolved the loss of PII. The Tax Division defines reportable computer\nsecurity incidents as the loss of sensitive data; PII; or any portable\nelectronic device or removable storage media that contains Tax Division\ninformation, including the loss of any laptop, BlackBerry device, flash\ndrive, or CD. The Tax Division considers all of its information to be\nsensitive, including PII, Privacy Act information, federal taxpayer\ninformation, and grand jury information. The Tax Division defines PII as\ninformation that uniquely identifies an individual, which may include\nsocial security numbers, Taxpayer ID numbers, driver\xe2\x80\x99s license numbers,\nlicense plate numbers, credit card numbers, current or previous\naddresses, current or previous telephone numbers, birthdates, maiden\nnames, previous married names, aliases, and family or medical history.\nTax return information, which is defined in Internal Revenue Service\nPublication 1075 and DOJ Order 2620.5A as including a taxpayer\xe2\x80\x99s\nidentity and information about his or her finances, is considered to be\nsynonymous to PII, as is Privacy Act information. The Tax Division does\nnot generally handle classified information.\n\nReporting Procedures\n\n      Tax Division employees are required to notify their supervisors and\nthe Division\xe2\x80\x99s Security Program Manager within 1 hour of discovering\nthat sensitive data or PII may have been lost.140 If Tax Division\nemployees mistakenly contact the Help Desk to report sensitive data loss\nincidents, the Help Desk staff should direct them to contact the Security\nProgram Manager. The Tax Division told us that employees have been\ninstructed to report data loss incidents directly to the Help Desk if they\nare unable to reach the Security Program Manager immediately. The\nHelp Desk should then notify the Information Systems Security Officer.\n\n       140  On September 5, 2006, the Assistant Attorney General of the Tax Division\nsent a memorandum to all division employees instructing them to contact their\nsupervisors and the division\xe2\x80\x99s Security Program Manager within 1 hour of discovering\nthat sensitive data or PII may have been lost. This 1-hour timeframe is also reflected in\nthe Tax Division\xe2\x80\x99s Incident Response Plan. All other types of computer security\nviolations, incidents, and vulnerabilities are reported to the Tax Division Help Desk.\nThe Help Desk is not required to report incidents that do not involve sensitive data or\nPII beyond this point.\n\n\nU.S. Department of Justice                                                            89\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cTax Division officials also told us that if an incident occurs after hours,\nemployees should notify their supervisors. The supervisors have an\nafter-hours contact number for the Security Program Manager.\n\n       The Security Program Manager should notify the Tax Division\xe2\x80\x99s\nInformation Systems Security Officer of all computer security incidents.\nThe Information Systems Security Officer should notify DOJCERT, via\nthe Archer Database, and ensure that the Tax Division follows the\nprocedures outlined in its Incident Response Plan.141 The Tax Division\xe2\x80\x99s\nplan identifies the seven categories of incidents that should be reported\nto DOJCERT within specified timeframes. The plan has been updated to\nreflect the required changes DOJCERT made in November 2006 to the\nDOJCERT Incident Response Plan template.\n\n      The Tax Division also has procedures in place for notifying senior\nTax Division management of incidents. If a computer security incident\nincludes PII, grand jury information, or federal taxpayer information, the\nsupervisor of the employee involved should notify the Deputy Assistant\nAttorney General who oversees the section where the incident occurred.\nThe Deputy Assistant Attorney General should then notify the Tax\nDivision\xe2\x80\x99s Office of the Assistant Attorney General. Chart 19 shows the\nTax Division\xe2\x80\x99s procedures for reporting loss of sensitive information,\nincluding PII.\n\n\n\n\n        141 The Tax Division\xe2\x80\x99s Information Systems Security Officer supervises the Help\n\nDesk and thus should be aware of all reports of data loss incidents made to the Help\nDesk instead of to the Security Program Manager. The Information Systems Security\nOfficer should inform the Security Program Manager of all sensitive data loss incident\nreports the Help Desk receives.\n\n\nU.S. Department of Justice                                                           90\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                 Chart 19: Flowchart of the Tax Division\xe2\x80\x99s Procedures for\n                   Reporting Sensitive Information Loss, Including PII\n\n\n\n\n                                              If incident\n                                            involves P II,              Deputy           T ax Division\n                                              grand jury               Assistant         Office of the\n                              Supervisor    information,               Attorney            Assistant\n                                               or federal             General for           Attorney\n                                                taxpayer                section             General\n                     within                  information\n                     1 hour\n      Employee\n\n\n\n\n                               Division      Information     If PII within\n                               Security        Systems       1 hour\n                               P rogram        Security\n                                                                             DOJCERT\n                               Manager          Officer\n\n\n\n      If unable to\n          reach\n        Division\n        Security                Help Desk\n        P rogram\n        Manager\n\n\n\n\n      For internal tracking purposes, computer security incidents and\nequipment losses are supposed to be recorded in the Tax Division Help\nDesk\xe2\x80\x99s ticket database, known as Remedy. Equipment losses have been\ntracked in this way for several years, and the Tax Division began tracking\ndata losses specifically in August 2006. The Information Systems\nSecurity Officer stated that all information tracked in Remedy is also\nentered into the Archer Database. Tax Division officials said they\nroutinely query Remedy to generate reports on equipment losses.\n\nIndications of Compliance with Reporting Procedures\n\n       Tax Division officials told us that they believed employees were\nfollowing the correct reporting procedures. While we did not validate this\nstatement, our analysis of the Archer Database showed that between\nDecember 2005 and November 2006, the Tax Division reported\n95 percent of its computer security incidents within the required\n\n\nU.S. Department of Justice                                                          91\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ctimeframes specified in both the DOJCERT and Tax Division Incident\nResponse Plans. We did not analyze any Tax Division incidents for\ntimeliness because the Tax Division did not report any incidents\ninvolving PII. Table 14 shows the Tax Division\xe2\x80\x99s reporting in each\ncategory.142\n\n   Table 14: The Tax Division\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                             Reported    Reported     Could not\n                     Reporting   Incidents    within       after      compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None             1        N/A          N/A             1\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour            1           1           0             0\nAccess)\nCategory 2\n                      2 hours            0        N/A          N/A           N/A\n(Denial of Service)\nCategory 3\n                        1 day            1           0           1             0\n(Malicious Code)\nCategory 4\n                       1 week            0        N/A          N/A           N/A\n(Improper Usage)\nCategory 5\n                      1 month            1           1           0             0\n(Scans/Probes)\nCategory 6\n                        None             1        N/A          N/A             1\n(Investigation)\nCategory 7\n                      1 month           17          17           0             0\n(Spam)\nTotal                                   22          19           1             2\nPII incidents\noccurring on or        1 hour            0        N/A          N/A           N/A\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\n\n\n\n        142 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                           92\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cEnsuring All Incidents Are Reported\n\n       While the Tax Division uses several methods to ensure division\nemployees are reporting computer security incidents, it relies primarily\non training to ensure employees are aware of the requirement to report\ncomputer security incidents, including those involving loss of sensitive\ndata or PII. The Tax Division said that it conducts annual Computer\nSecurity Awareness Training to remind users of the responsibility to\nreport computer security incidents and has updated this training to\ninstruct employees to report losses of PII within 1 hour. To remind\nemployees of the importance of reporting sensitive data loss incidents,\nthe Tax Division has also posted a copy of the Assistant Attorney\nGeneral\xe2\x80\x99s September 5, 2006, memorandum in a prominent position on\nthe Tax Division\xe2\x80\x99s intranet page. The Tax Division\xe2\x80\x99s Rules of Behavior\nalso instructs employees to report known or suspected incidents to the\nInformation Systems Security Officer. Tax Division employees are\nrequired to read and acknowledge the Rules of Behavior annually.\n\n      Tax Division officials said that lost equipment is tracked through\nthe annual inventory process. One Tax Division official we interviewed\nnoted that it is easier for management to determine if hardware, such as\na laptop or BlackBerry device, is missing because the user will need a\nreplacement device. For other types of computer security incidents, this\nsame official stated that there is no failsafe method for ensuring that all\nincidents are reported.\n\nNotification to Affected Parties\n\n       The Tax Division has not developed policies concerning notification\nto affected parties in the event of a loss of PII. Tax Division officials\nexpressed a general desire for the Department to take a greater\nleadership role in computer security issues, including developing a policy\non notification.\n\nDetermining the Type of Data Lost\n\n       In the Tax Division, determining the type of data loss is usually\naccomplished through employee interviews. In general, the Tax\nDivision\xe2\x80\x99s Information Systems Security Officer is tasked with\ninterviewing the employee reporting the loss and asks the employee to\nidentify the information that the device may have contained. The\nInformation Systems Security Officer may also speak with the employee\xe2\x80\x99s\nsupervisor to determine which cases the employee was most likely to\n\n\n\nU.S. Department of Justice                                               93\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0chave been working on, but the Tax Division is ultimately dependent on\nthe employee\xe2\x80\x99s memory of the device\xe2\x80\x99s contents.\n\n       When an employee is working off-site and a computer security\nincident occurs, in addition to interviewing the employee reporting the\nloss, the supervisor may be able to determine the type of data lost\nthrough the Tax Division\xe2\x80\x99s Document Management System. The Tax\nDivision maintains a Document Management System that organizes\ncase-related files, and employees\xe2\x80\x99 access is restricted to the cases to\nwhich they have been assigned. To work on Tax Division information\nfrom a remote location without having to dial in to the Tax Division\xe2\x80\x99s\nnetwork, the employees can check out files from the Document\nManagement System and have those files uploaded onto the hard drives\nof their laptops. If an employee chooses this access option and then\nreports the laptop lost or stolen, the Tax Division supervisor may be able\nto recreate the files that were on the device by reviewing the Document\nManagement System\xe2\x80\x99s checked out records. Data saved on flash drives\nmust also be saved on the Document Management System or another\npart of the Tax Division\xe2\x80\x99s network to provide a backup in the event that\nthe flash drive is lost or stolen.143\n\n      Alternatively, employees can access the Tax Division\xe2\x80\x99s network\nremotely, either through a hard network connection in a United States\nAttorney\xe2\x80\x99s Office or by dialing in using Justice Secure Remote Access.\nWhen employees choose to access the network remotely, the laptop\nserves as a dumb terminal, with all files saved to the Tax Division\xe2\x80\x99s\nnetwork instead of to the laptop\xe2\x80\x99s hard drive.\n\n\n\n\n        143 Only Tax Division-purchased flash drives are permitted; these flash drives\n\nare encrypted, use biometric security (a thumbprint is required to access the data on\nthe flash drive), and are tracked in the Tax Division\xe2\x80\x99s annual property inventory.\n\n\nU.S. Department of Justice                                                               94\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c              APPENDIX IX: USMS REPORTING PROCEDURES\n\n\nIntroduction\n\n      Between December 2005 and November 2006, the USMS reported\n15 security incidents to DOJCERT, none of which involved the loss of PII\nor involved classified information. The USMS stated that reportable\nlosses include the loss of electronic devices such as desktop computers,\nlaptops, or BlackBerry devices that possibly contain classified or\ninvestigative case-sensitive information or printed documents that\ninclude PII. However, the USMS stated it did not begin tracking or\nreporting sensitive data loss incidents, including PII, to DOJCERT until\nthe August 2006 Department memorandum that instructed all\ncomponents to report these incidents to DOJCERT.144\n\n      The USMS defines sensitive information as synonymous with Law\nEnforcement Sensitive. In the USMS Security Programs Manager policy,\nLaw Enforcement Sensitive information is defined as unclassified\ninformation of a sensitive and proprietary nature that if disclosed could\ncause harm to law enforcement activities by jeopardizing investigations,\ncompromising operations, or causing life-threatening situations for\nconfidential informants, witnesses, or law enforcement personnel.145\nThese categories are designated as law enforcement sensitive:\n\n              \xe2\x80\xa2 Informant and witness information;\n              \xe2\x80\xa2 Grand Jury information subject to the Federal Rules of Criminal\n                Procedure, Rule 6(e), Grand Jury Secrecy Proceedings and\n                Disclosure;\n              \xe2\x80\xa2 Investigative material;\n              \xe2\x80\xa2 Law enforcement sources and undercover operations;\n              \xe2\x80\xa2 Law enforcement intelligence sources and methods;\n              \xe2\x80\xa2 Federal law enforcement agency activities;\n              \xe2\x80\xa2 Federal support to state and local law enforcement activities;\n              \xe2\x80\xa2 Information pertaining to the judiciary, to include investigations\n                of inappropriate communications; and\n              \xe2\x80\xa2 Personnel information pertaining to employees of the USMS.\n\n      While the USMS does not currently have a definition for PII, it\nconsiders those records requiring protection under the Privacy Act to be\na subset of Limited Official Use information. The USMS defines Limited\n\n        144 DOJ Memorandum, Reporting Incidents Involving Data Loss and Personally\n\nIdentifiable Information, Vance Hitch, CIO, August 7, 2006.\n\n       145   USMS Directive 2.34, Security Programs Manager, November 9, 2005.\n\n\nU.S. Department of Justice                                                           95\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cOfficial Use information as unclassified information of a sensitive,\nproprietary, or personally private nature that must be protected against\nrelease to unauthorized individuals. The following categories of\ninformation are designated as Limited Official Use information:\n\n            \xe2\x80\xa2 Tax information subject to 26 U.S.C. \xc2\xa7 6103, Confidentiality and\n              Disclosure of Returns and Return Information;\n            \xe2\x80\xa2 Information that could be sold for profit;\n            \xe2\x80\xa2 Personal information subject to the Privacy Act;\n            \xe2\x80\xa2 Memorandums or reports that disclose security vulnerabilities;\n            \xe2\x80\xa2 Information that could result in physical risk to individuals;\n            \xe2\x80\xa2 Company proprietary information;\n            \xe2\x80\xa2 Audit staff work papers;\n            \xe2\x80\xa2 Draft audit reports;\n            \xe2\x80\xa2 Information offered in confidence during the conduct of internal\n              audits, comprehensive assessments, program reviews, and\n              evaluations;\n            \xe2\x80\xa2 Program and budget information on intelligence-related activities;\n              and\n            \xe2\x80\xa2 Sensitive Antideficiency Act material.146\n\n      The USMS uses the definition of classified information contained in\nExecutive Order 12958, as Amended, Classified National Security\nInformation, dated March 25, 2003.\n\nReporting Procedures\n\nReporting Procedures for Non-Classified Incidents\n\n      The USMS relies on four policies when reporting computer security\nincidents:\n\n       \xe2\x80\xa2   USMS Incident Response Plan, December 8, 2005;\n       \xe2\x80\xa2   USMS Directive 2.34, Security Programs Manager, November 9,\n           2005;\n       \xe2\x80\xa2   USMS Directive 12, Information Resources Management,\n           effective October 6, 2003, updated April 3, 2006; and\n       \xe2\x80\xa2   USMS Directive 7.1, Management of Personal Property,\n           October 6, 2003.\n\n      It should be noted that the four policies provide conflicting\nchain-of-command reporting procedures. For example, the policies\ninstruct employees to report computer security incidents to staff titles\n\n      146 USMS Directive 2.34, Security Programs Manager, November 9, 2005,\n\nAttachment III F.2.\n\n\nU.S. Department of Justice                                                         96\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cand internal departments that either no longer exist or are incorrect.\nTherefore, the reporting procedures described here are the actual\npractices as described in interviews with USMS officials, supplemented\nby the policies.\n\n       USMS employees are to immediately report suspected computer\nsecurity incidents involving sensitive information loss including PII to the\nOffice of Information Technology\xe2\x80\x99s Help Desk at USMS Headquarters and\nthe employee\xe2\x80\x99s supervisor. If the incident involves lost or stolen property,\nthe employee is also required to notify the office property custodian (as\nrequired by USMS Property Management regulations for reporting lost or\nstolen property) and the Office of Investigations (as appropriate for stolen\nproperty).147 The Help Desk should then notify the appropriate Systems\nAdministrator in the Office of Information Technology as soon as possible\nto help evaluate the incident.148 The Help Desk, after recording general\ninformation about the incident, should then notify the Computer\nSecurity Program Manager, also at Headquarters, who interviews the\nemployee involved about the circumstances surrounding the event. With\nthe information gathered during the interview, the Computer Security\nProgram Manager is required to report the incident to DOJCERT via a\ntelephone call. The USMS does not currently use their electronic access\nto DOJCERT\xe2\x80\x99s Archer Database for reporting incidents online. Chart 20\nshows the USMS\xe2\x80\x99s procedures for reporting sensitive information loss,\nincluding PII.\n\n\n\n\n       147  USMS Directive 12, Information Resources Management, Appendix H,\neffective October 6, 2003, updated April 3, 2006. The Office of Investigations is also\nknown as Internal Investigations.\n\n       148  There are 50 Systems Administrators to support 400 locations in 94 USMS\ndistricts. While the majority of the USMS offices do not have a Systems Administrator,\nin the locations where one exists the employee reports a data loss first to the Systems\nAdministrator, who then reports the incident to the Help Desk. In locations where no\nSystems Administrator exist, the employee calls the Help Desk at Headquarters and the\nemployee\xe2\x80\x99s supervisor.\n\n\nU.S. Department of Justice                                                               97\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c     Chart 20: Flowchart of the USMS\xe2\x80\x99s Procedures for Reporting\n              Sensitive Information Loss, Including PII\n\n                                                      Systems\n                                               Administrator in the\n                          Headquarters         Office of Information\n                            Office of               T echnology\n                          Information\n                          T echnology\n                           Help Desk                                   If PII\n   Employee                                     Computer Security      within 1 hour\n                                                P rogram Manager                       DOJCERT\n\n\n                          Supervisor\n\n\n\nReporting Procedures for Data Loss that Include PII\n\n      As of April 2007, the USMS had not yet updated its Incident\nResponse Plan to reflect requirements for investigating and reporting\ndata loss incidents that include the loss of PII. DOJCERT added the data\nloss and PII requirements to its Incident Response Plan template in\nNovember 2006 with the requirement that all components incorporate\nthis update by December 29, 2006. The USMS stated that it planned to\nupdate its Incident Response Plan and include this revision by mid-\nMarch 2007. The USMS did e-mail its staff on August 29, 2006,\ninforming them of their responsibility to report all known incidents of\nsensitive data loss and PII \xe2\x80\x9cwithin 1 hour of discovery or detection.\xe2\x80\x9d149\nThe USMS does not have procedures for reporting computer security\nincidents after hours.\n\nReporting Procedures for Classified Information\n\n      If classified information is involved in a computer security incident,\nemployees must promptly report by telephone and confirm in writing the\ncircumstances of the incident to the USMS Document Security Program\nManager, who is responsible for the receipt, handling, safeguarding, and\nstorage of all classified material within the USMS.150 The Document\nSecurity Program Manager is responsible for notifying the USMS Security\nPrograms Manager. The USMS Security Programs Manager is required to\n\n       149 USMS E-Mail to All Staff, Notice From OSD Re: Reporting Incidents Involving\n\nData Loss and Personally Identifiable Information, August 29, 2006.\n\n      150 USMS Directive 2.34, Security Programs Manager, Attachment C,\n\nNovember 9, 2005, pp. 13-14.\n\n\nU.S. Department of Justice                                                             98\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cthen notify the Department\xe2\x80\x99s Security Officer, Security and Emergency\nPlanning Staff (SEPS). Chart 21 shows the USMS\xe2\x80\x99s procedures for\nreporting classified information loss.\n\n     Chart 21: Flowchart of the USMS\xe2\x80\x99s Procedures for Reporting\n                    Classified Information Loss\n\n\n                            Document\n                                                 Security\n                             Security\n        Employee                                 Programs              SEPS\n                             Program\n                                                 Manager\n                             Manager\n\n\nAdditional Reporting Requirements\n\n       According to the USMS policy on Management of Personal\nProperty, employees are required to notify the property custodian\nthrough their supervisor if an incident involves lost or missing electronic\nequipment, including a laptop or desktop computer or a BlackBerry\ndevice.151 The property custodian should complete a form/affidavit with\ndescriptive information about the event and forwards that form to the\nOffice of Property Management. The Office of Property Management is\nrequired to refer reports of loss to the Board of Survey if the loss is likely\nto have been the result of willful intent, gross negligence, neglect,\nmisuse, theft, or misconduct. If the loss involves sensitive property such\nas desktop and laptop computers or BlackBerry devices that possibly\ncontain classified or investigative case-sensitive information, a copy of\nthe report should be provided to the Office of Internal Affairs (also known\nas Internal Investigations).152 The property custodian should also report\nlost sensitive property to the NCIC. In the event of stolen property, the\nemployee should notify the local police department.\n\nIndications of Compliance with Reporting Procedures\n\n       USMS officials told us that they believed their employees were\nfollowing the correct reporting procedures. While we did not validate this\nstatement, our analysis of the Archer Database showed that the USMS\n\n       151  The property custodian is the Chief Deputy U.S. Marshal within a district\noffice or the head of office within a Headquarters component. See USMS Directive 7.1,\nManagement of Personal Property, October 6, 2003.\n\n       152 USMS Memorandum to All USMS Employees, Reporting Losses of USMS\n\nProperty, Director, November 5, 2002.\n\n\nU.S. Department of Justice                                                         99\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cwas not always reporting computer security incidents within the required\ntimeframes specified in both the DOJCERT and USMS Incident Response\nPlans. Between December 2005 and November 2006, the USMS reported\n62 percent of its computer security incidents to DOJCERT within the\nrequired timeframes. We did not analyze any USMS PII incidents for\ntimeliness because the USMS did not report any incidents involving PII.\nTable 15 shows the USMS\xe2\x80\x99s reporting in each category.153\n\n       Table 15: The USMS\xe2\x80\x99s Timeliness in Reporting Incidents to DOJCERT\n                                            Reported    Reported    Could not\n                     Reporting Incidents     within       after      compute\nCategory            timeframe* reported timeframe timeframe timeliness**\nCategory 0\n                        None            0         N/A         N/A          N/A\n(Exercise/Test)\nCategory 1\n(Unauthorized          1 hour           2            0           2           0\nAccess)\nCategory 2\n                      2 hours           0         N/A         N/A          N/A\n(Denial of Service)\nCategory 3\n                        1 day           4            1           2           1\n(Malicious Code)\nCategory 4\n                       1 week           2            2           0           0\n(Improper Usage)\nCategory 5\n                      1 month           0         N/A         N/A          N/A\n(Scans/Probes)\nCategory 6\n                        None            0         N/A         N/A          N/A\n(Investigation)\nCategory 7\n                      1 month           7            5           1           1\n(Spam)\nTotal                                  15            8           5           2\nPII incidents\noccurring on or        1 hour           0         N/A         N/A          N/A\nafter 7/12/06***\n* For purposes of this table, reporting timeframes for Categories 0-7 refer to the\ntimeframes defined in the Incident Response Plan. Reporting timeframe for PII\nincidents refers to the timeframe defined in OMB Memorandum M-06-19.\n** Some records did not include information to indicate when DOJCERT received the\nreports. Category 0 and 6 incidents, for which there are no reporting timeframes, are\nalso included in this category.\n*** PII incidents were reported in varying incident categories.\nSource: Archer Database\n\n\n\n        153 Our calculations are based on Categories 1 through 5 and Category 7. We\n\ndid not include incidents found in Categories 0 and 6 because they had no associated\ntime criteria, nor did we include incidents for which the Archer Database contained no\ninformation to indicate when DOJCERT received the report that an incident had\noccurred.\n\n\nU.S. Department of Justice                                                           100\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cEnsuring All Incidents Are Reported\n\n       The USMS stated that it relies primarily on the Department\xe2\x80\x99s\nrequired annual Computer Security Awareness Training to educate and\nremind staff of their reporting responsibilities as well as what is\nconsidered a reportable incident. However, we were informed during an\ninterview that employees did not have access to this training in 2006 due\nto technical difficulties the USMS had in supporting the Computer\nSecurity Awareness Training online. The USMS also said that it relies on\nseveral written policies and memorandums to inform staff of their\nresponsibilities to report lost or stolen government-issued equipment\nthat may contain sensitive information.\n\n      In August 2006, the USMS e-mailed a memorandum to all USMS\nemployees informing them of their responsibility to report all incidents\ninvolving known loss of sensitive data and PII within 1 hour of discovery\nor detection.154 Additionally, the memorandum stated that the loss of\nany data storage devices, such as laptops, flash drives, disks, and tapes,\nshould be reported within the same 1-hour timeframe.\n\n      As stated above, the USMS policy on Management of Personal\nProperty requires employees to make the loss of property known\nimmediately through his or her supervisor to the property custodian.\nProperty custodians are required to maintain accountability for all\nproperty on the accountable property record through physical inventories\nand the maintenance of current property records. A comprehensive\nphysical inventory of all accountable property is required every 2 years.\n\n      USMS Rules of Behavior, which all employees must read and sign,\nrequire employees to report all actual or suspected security violations,\nvulnerabilities, and incidents to the first-line supervisor and other\nappropriate staff.155\n\nNotification to Affected Parties\n\n       The USMS has not developed policies concerning notification to\naffected parties in the event of a loss of PII.\n\n\n\n       154 USMS e-mail to all staff, Notice From OSD Re: Reporting Incidents Involving\n\nData Loss and Personally Identifiable Information, August 29, 2006.\n\n       155 USMS Directive 12, Information Resources Management, Appendix C, Rules\n\nof Behavior, effective October 6, 2003, updated April 3, 2006.\n\n\nU.S. Department of Justice                                                        101\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cDetermining the Type of Data Lost\n\n       To determine the type of data lost or compromised, the USMS\nprimarily relies on the Chief of Enterprise Management at Headquarters\ninterviewing the employee involved. The Chief said that she questions\nthe employee using an internal form containing 23 questions. Several of\nthe questions ask about applications accessed from the lost laptop or\nBlackBerry device, whether information was saved to the hard drive, and\nthe type of information the lost device contained. The Chief said that she\nintends to eventually train the Help Desk to conduct these initial\ninterviews and complete the interview forms. However, the Chief or a\nmember of her staff will remain the point of contact for notifying\nDOJCERT.\n\n\n\n\nU.S. Department of Justice                                            102\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c             APPENDIX X: ACTS, DIRECTIVES, AND STANDARDS\n\n\n\xe2\x80\xa2   Federal Information Security Management Act (FISMA) of 2002 \xe2\x80\x93\n    This Act actually is Title III of the E-Government Act of 2002. It\n    defines federal requirements for securing information and information\n    systems that support federal agency operations and assets and\n    requires agencies to develop agency-wide information security\n    programs. Under FISMA, civilian agencies are required to notify the\n    U.S. Computer Emergency Readiness Team (US-CERT) in the\n    Department of Homeland Security, within certain timeframes based\n    on the type of incident, e.g., data breaches, unauthorized access, or\n    suspicious activity on their networks. In July 2006, OMB expanded\n    the rule to cover all incidents that include PII. FISMA also requires\n    the Inspectors General to conduct an annual independent evaluation\n    of the information security program and practices of every agency. To\n    support agencies in conducting their information security programs,\n    FISMA called for the National Institute of Standards and Technology\n    (NIST) to develop federal standards for the security categorization of\n    federal information and information systems according to risk levels\n    and for minimum security requirements for information and\n    information systems in each security category.\n\n\xe2\x80\xa2   E-Government Act of 2002 \xe2\x80\x93 This Act ensures sufficient protection\n    for the privacy of personal information in electronic government\n    systems by requiring that agencies conduct Privacy Impact\n    Assessments (PIA). A PIA is an analysis of how personal information\n    is collected, stored, shared, and managed in a federal system. FISMA\n    is Title III of the E-Government Act.\n\n\xe2\x80\xa2   Privacy Act of 1974 \xe2\x80\x93 limits agencies\xe2\x80\x99 collection, maintenance, use,\n    and dissemination of information maintained in a system of records.\n    The purpose of the Privacy Act is to balance the government's need to\n    maintain information about individuals with the right of those\n    individuals to be protected against unwarranted invasions of their\n    privacy. The Act restricts disclosure of protected information; grants\n    individuals the right to access and amend such records; and\n    establishes a code of \xe2\x80\x9cfair information practices\xe2\x80\x9d that requires\n    agencies to comply with statutory norms for collection, maintenance,\n    and dissemination of records.156\n\n\n\n       156   See www.usdoj.gov/oip/04_7_1.html for an overview of the Privacy Act.\n\n\nU.S. Department of Justice                                                           103\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c\xe2\x80\xa2   OMB Memorandum M-06-20 (July 17, 2006) \xe2\x80\x93 Fiscal year 2006\n    Reporting Instructions for the Federal Information Security\n    Management Act and Agency Privacy Management. This\n    memorandum provides instructions to all departments and agencies\n    for meeting the fiscal year 2006 requirements of the FISMA Act of\n    2002. It also adds the requirements that all Inspectors General\n    provide a list of any systems they have found missing from the\n    agency\xe2\x80\x99s inventory of major information systems (as required under\n    the E-Government Act of 2002) and the identification of any physical\n    or electronic incidents involving the loss or unauthorized access to PII\n    and reporting of such in accordance with OMB Memorandum\n    M-06-19.\n\n\xe2\x80\xa2   OMB Memorandum M-06-19 (July 12, 2006) \xe2\x80\x93 Reporting Incidents\n    Involving Personally Identifiable Information and Incorporating the\n    Cost for Security in Agency Information Technology Investments. This\n    memorandum defines PII and provides updated guidance on the\n    reporting of security incidents involving PII. By issuing this\n    memorandum, OMB required that all security incidents involving PII\n    be reported within 1 hour of the incident\xe2\x80\x99s discovery. US-CERT is\n    required to forward all agency reports to the appropriate Identity Theft\n    Task Force point-of-contact also within 1 hour of notification by an\n    agency. Agencies are also required to identify specific funds they are\n    requesting for correcting any security weaknesses identified by their\n    Inspectors General or the Government Accountability Office.\n\n\xe2\x80\xa2   OMB Memorandum M-06-16 (June 23, 2006) \xe2\x80\x93 Protection of\n    Sensitive Agency Information. This memorandum advises heads of\n    Departments and agencies of the NIST Checklist for protection of\n    remote information and recommends additional action to take such as\n    encrypting all data on mobile computers and other devices, allowing\n    remote access only with two-factor authentication, using a time-out\n    function after 30 minutes for remote access, and logging all\n    extractions of sensitive information and verifying that each extract\n    has been erased within 90 days or that its use is still necessary.\n\n\xe2\x80\xa2   OMB Memorandum M-06-15 (May 22, 2006) \xe2\x80\x93 Safeguarding\n    Personally Identifiable Information. This memorandum reminds\n    heads of Departments and agencies of their responsibilities under law\n    and policy to safeguard sensitive PII and to train employees on their\n    responsibilities in this area.\n\n\xe2\x80\xa2   OMB Circular A-130 (November 28, 2000) \xe2\x80\x93 Management of Federal\n    Information Resources. This circular established policies for the\n\n\nU.S. Department of Justice                                              104\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c    management, collection, and dissemination of federal information\n    resources, as required by the Paperwork Reduction Act of 1980.\n\n\xe2\x80\xa2   DOJ Order 2740.1 (November 7, 2005) \xe2\x80\x93 Use and Monitoring of DOJ\n    Computers and Computer Systems. This order states the\n    Department\xe2\x80\x99s policy on the use of departmental computers and\n    computer systems, the lack of expectation of privacy with respect to\n    such use, and authorized monitoring of or access to information on\n    departmental computers and computer systems.\n\n\xe2\x80\xa2   DOJ Order 2880.1B (September 27, 2005) \xe2\x80\x93 Information Resources\n    Management Program. This order establishes Department policy\n    governing the planning, management, operation, and use of\n    information technology (IT) resources. It includes a section on\n    information technology security that states in part that, quote:\n\n                o The Department shall develop and manage an agency wide\n                  Information Technology Security Program consistent with the\n                  laws and regulations affecting IT Security.\n\n                o Department IT systems processing Sensitive\n                 Compartmentalized Information (SCI) shall have controls\n                 implemented consistent with the IT security controls\n                 established by the intelligence community. All IT systems\n                 that process, store, or transmit SCI shall be coordinated with\n                 the CIO prior to development and approved by the\n                 Department Security Officer prior to their operation.\n\n\xe2\x80\xa2   DOJ Order 2640.2E (November 28, 2003) \xe2\x80\x93 Information Technology\n    Security. This order establishes uniform policy, responsibilities, and\n    authorities for the implementation and protection of Department IT\n    systems that store, process, or transmit classified and unclassified\n    information.\n\n\xe2\x80\xa2   Information Technology Security Approved Standards (December\n    2003\xe2\x80\x93July 2005) \xe2\x80\x93 JMD\xe2\x80\x99s Information Technology Security Staff\n    standards establish the management, operational, and technical\n    controls for the Department\xe2\x80\x99s information systems.\n\n\xe2\x80\xa2   NIST Special Publication 800-53A (April 2006) \xe2\x80\x93 Guide for Assessing\n    the Security Controls in Federal Information Systems (Second Public\n    Draft). This publication provides methods and procedures to assess\n    the effectiveness of security controls in federal information systems.\n    The guidance allows federal agencies to develop more secure\n    information systems.\n\n\n\nU.S. Department of Justice                                                        105\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c\xe2\x80\xa2   NIST Special Publication 800-53 (February 2005) \xe2\x80\x93 Recommended\n    Security Controls for Federal Information Systems. This publication\n    defines minimum security controls needed to provide cost-effective\n    protection for low-, moderate-, and high-impact information systems\n    and the information processed, stored, and transmitted by those\n    systems. These are the standards used for certification and\n    accreditation of federal IT systems.\n\n\xe2\x80\xa2    NIST Special Publication 800-61 (January 2004) \xe2\x80\x93 Computer\n    Security Incident Handling Guide. This guide discusses how to\n    organize a security incident response capability and how to handle\n    incidents, including denial of service, malicious code, unauthorized\n    access, and inappropriate use of systems incidents.\n\n\xe2\x80\xa2   Federal Information Processing Standards Publication (FIPS) 200\n    (March 2006) \xe2\x80\x93 Minimum Security Requirements for Federal Information\n    and Information Systems. FIPS Publication 200 specifies minimum\n    security requirements for federal information and information systems\n    and a risk-based process for selecting the security controls necessary\n    to satisfy the minimum requirements. In applying the FIPS 200\n    provisions, agencies categorized their information systems as required\n    by FIPS Publication 199 and selected an appropriate set of security\n    controls from NIST Special Publication 800-53 to satisfy the minimum\n    security requirements. FIPS 200 specifies minimum security\n    requirements for federal information and information systems that\n    represent a broad-based, balanced information security program. The\n    requirements are organized into 17 areas, encompassing the\n    management, operational, and technical aspects of protecting federal\n    information and information systems: access control; audit and\n    accountability; awareness and training; certification, accreditation\n    and security assessments; configuration management; contingency\n    planning; identification and authentication; incident response;\n    maintenance; media protection; personnel security; physical and\n    environmental protection; planning; risk assessment; systems and\n    services acquisition; system and communications protection; and\n    system and information integrity.\n\n\xe2\x80\xa2   Federal Information Processing Standards Publication 199\n    (February 2004) \xe2\x80\x93 Standards for Security Categorization of Federal\n    Information and Information Systems. FIPS 199 is the first standard\n    that was specified by FISMA. It requires agencies to categorize their\n    information and information systems as low-, moderate-, or high-\n    impact based on the potential impact of a loss of confidentiality,\n    integrity, or availability of information or an information system.\n\n\nU.S. Department of Justice                                             106\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                   APPENDIX XI: COMPONENT POLICIES\n\n\nATF              \xe2\x97\x8f Computer Security Incident Response Capability\n                   Incident Response Plan, July 24, 2006\n                 \xe2\x97\x8f Automated Information System Security Program, ATF\n                   Policy H 7250.1, July 26, 2006\n                 \xe2\x97\x8f Computer Security Incident Response Capability, ATF\n                   Order O 7500.4A, April 12, 2005\n\nBOP              \xe2\x97\x8f Incident Response Plan, December 2006\n                 \xe2\x97\x8f Information Resources Protection,\n                   BOP Directive 1237.12, February 20, 2001\n                 \xe2\x97\x8f Information Security Programs for Sensitive But\n                   Unclassified (SBU) Information,\n                   BOP Directive 1237.13, March 31, 2006\n                 \xe2\x97\x8f Property Management Manual,\n                   BOP Directive 4400.05, May 26, 2004\n                 \xe2\x97\x8f Release of Information,\n                   BOP Directive 1351.05, September 19, 2002\n\nCRM              \xe2\x97\x8f Incident Response Plan, December 1, 2006\n                 \xe2\x97\x8f Criminal Division Administrative Policy Memorandum\n                   80-8, Classified Processing, January 14, 2003\n                 \xe2\x97\x8f Criminal Division Security Acknowledgement\n                   Statement for System Administrators and Privileged\n                   Users, November 2006\n\nDEA              \xe2\x97\x8f Computer Incident Response Plan, December 29, 2006\n                 \xe2\x97\x8f DEA Policy: Control and Decontrol of DEA Sensitive\n                   Information, REF 99-001, June 2, 1999\n                 \xe2\x97\x8f Broadcast E-mail Message to all DEA employees:\n                   Personally Identifiable Information (PII) Media Loss\n                   Reporting Requirements and Procedures, October 12,\n                   2006\n                 \xe2\x97\x8f Safeguarding Personally Identifiable and Other\n                   Sensitive Information, Chief Inspector\xe2\x80\x99s Bulletin, DEA\n                   Inspection Division, October 20, 2006\n                 \xe2\x97\x8f Memorandum to DEA Deputy Assistant Administrator,\n                   Office of Information Systems, Amendment to the\n                   Interim Information Technology Rules of Behavior \xe2\x80\x93\n                   Protecting Sensitive and Personally Identifiable\n                   Information, November 6, 2006\n                 \xe2\x97\x8f Employee Responsibilities and Conduct\n\nU.S. Department of Justice                                           107\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cEOUSA            \xe2\x97\x8f Incident Response Plan, December 13, 2006\n                 \xe2\x97\x8f Memorandum to Anti-Terrorism Task Force Officials,\n                   Limited Official Use (Sensitive) Information\n                   Designation, January 14, 2003\n                 \xe2\x97\x8f U.S. Attorney\xe2\x80\x99s Manual, Chapter 3-15, Security\n                   Programs Management, August 2004\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Procedures (USAP 3-13.300.001),\n                   Records Management and Case File Disposition,\n                   October 24, 2006\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Procedures (USAP 3-16.000.001),\n                   Computer Assisted Legal Research, October 4, 2006\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Procedures (USAP 3-16-200.003),\n                   Access to Sensitive But Unclassified (SBU) IT\n                   Resources, January 13, 2006\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Procedures (USAP 3-16.200.008),\n                   Sensitive But Unclassified Laptop Computer Security,\n                   January 26, 2006\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Procedures (USAP 3-16.300.006),\n                   Personal Digital Assistants (PDAs), September 13,\n                   2006\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Procedures (USAP 3-15.120.002),\n                   Handling and Safeguarding Federal Tax Information,\n                   November 7, 2006\n                 \xe2\x97\x8f U.S. Attorneys\xe2\x80\x99 Manual, Chapter 3-13,\n                   Procurement/Property Management, July 2000\n                 \xe2\x97\x8f EOUSA Resource Manual, Sections 119-126\n\nFBI              \xe2\x97\x8f Incident Response Plans for the Criminal Justice\n                   Information Services Division; SCI Operational\n                   Network; FBI Secret; and Unclassified Network, all\n                   updated December 2006\n                 \xe2\x97\x8f FBI Security Policy Manual, Chapters 17, 21, 22, and\n                   Appendix A, April 2006\n                 \xe2\x97\x8f Systems User Rules of Behavior\n                 \xe2\x97\x8f Memorandum to All FBI Divisions, Reiterating Policy\n                   for the Safeguarding of Government Property Outside\n                   of FBI Office Space, FBI Finance Division, August 23,\n                   2002\n                 \xe2\x97\x8f Memorandum to All FBI Divisions, Reiterate Policy\n                   Requirement to Place Property on the Property\n                   Management Application Upon Receipt, FBI Finance\n                   Division, August 23, 2002\n\n\n\nU.S. Department of Justice                                           108\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                  \xe2\x97\x8f Memorandum to All FBI Divisions, Policy Change for\n                    Submission of FD-500s, Report of Lost or Stolen\n                    Property, FBI Finance Division, November 4, 2005\n                  \xe2\x97\x8f Procedures for Reporting Lost or Stolen Property,\n                    Accountable Property Manual\n                  \xe2\x97\x8f Memorandum to All FBI Divisions, Reiterating\n                    Mandatory Policy for the Assignment and Charge-Out\n                    of Laptop Computers, FBI Finance Division, March 15,\n                    2006\n                  \xe2\x97\x8f Memorandum to All FBI Divisions, Security Incident\n                    Program, Security Compliance Unit, Security Division,\n                    FBI Security Division, February 9, 2006\n                  \xe2\x97\x8f Manual of Investigative Operational Guidelines, Part 1,\n                    Section 52, Government Property \xe2\x80\x93 Theft, Robbery,\n                    Embezzlement\n                  \xe2\x97\x8f Manual of Administrative Operations and Procedures,\n                    Part 2, Section 6-7.5, Lost or Stolen Government\n                    Property/Lost or Stolen Personal Property in\n                    Government Space\n\nJMD157            \xe2\x97\x8f Incident Response Plan for Systems Operated by the\n                    Personnel Staff, December 1, 2006\n                  \xe2\x97\x8f Rules of Behavior for Systems Operated by the\n                    Personnel Staff\n                  \xe2\x97\x8f Incident Response Plan for Systems Operated by the\n                    Security and Emergency Planning Staff, November\n                    2006\n\nTAX               \xe2\x97\x8f Incident Response Plan, December 20, 2006\n                  \xe2\x97\x8f Tax Division Directive No. 101, Physically Protecting\n                    Portable Computers While On Official Travel\n                  \xe2\x97\x8f Tax Division Directive No. 130, Use of Mass Storage\n                    Devices Within The Tax Division, March 9, 2006\n                  \xe2\x97\x8f Tax Information Security Guidelines for Federal, State,\n                    and Local Agencies: Safeguards for Protecting Federal\n                    Tax Returns and Return Information, IRS Publication\n                    1075\n                  \xe2\x97\x8f Memorandum to Members of the Tax Division,\n                    Computer Security, November 17, 2005\n\n        157 Each subcomponent within JMD develops its own Incident Response Plan\n\nand other policies for responding to computer security incidents. The policies identified\nin this table were provided to the OIG as examples of the types of policies developed by\nall subcomponents of JMD.\n\n\nU.S. Department of Justice                                                          109\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                 \xe2\x97\x8f Tax Division Security Features User Guide for\n                   JCON II/TaxDoc, October 3, 2006\n                 \xe2\x97\x8f Memorandum to All Tax Division Personnel, Personally\n                   Identifiable Information: Safeguarding It and\n                   Reporting Its Loss, September 5, 2006\n\nUSMS             \xe2\x97\x8f Incident Response Plan, December 8, 2005\n                 \xe2\x97\x8f USMS Directive 2.34 and Attachments B and C,\n                   Security Programs Manager, November 9, 2005\n                 \xe2\x97\x8f USMS Directive 7.1, Management of Personal Property,\n                   October 6, 2003\n                 \xe2\x97\x8f Broadcast e-mail from USMS Security Programs\n                   Manager, Notice from OSD re: Reporting Incidents\n                   Involving Data Loss and Personally Identifiable\n                   Information, August 29, 2006\n                 \xe2\x97\x8f Memorandum from the Director, Reporting Losses of\n                   USMS Property, November 5, 2002\n                 \xe2\x97\x8f USMS Directive 12, Information Resources\n                   Management, effective October 6, 2003, updated\n                   April 3, 2006\n\n\n\n\nU.S. Department of Justice                                         110\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cAPPENDIX XII: SEVEN CATEGORIES OF SECURITY INCIDENTS AND\n     REQUIRED TIMEFRAMES FOR REPORTING INCIDENTS\n\n\n\nCategory     Name              Description                         Reporting timeframe\n0            Exercise/         This category is used during        As defined in the exercise\n             Network           Department exercises activity       requirements.\n             Defense Testing   testing of internal/external\n                               network defenses or responses.\n1            Unauthorized      In this category an individual      Within 1 hour of\n             Access            gains logical or physical access    discovery/detection,\n                               without permission to a federal     followed by written report\n                               agency network, system,             within 24 hours.\n                               application, data, or other\n                               resource.\n2            Denial of         An attack that successfully         Within 2 hours of\n             Service (DoS)     prevents or impairs the normal      discovery/detection if the\n                               authorized functionality of         successful attack is still\n                               networks, systems or                ongoing and the agency is\n                               applications by exhausting          unable to successfully\n                               resources. This activity            mitigate activity, followed\n                               includes being the victim or        by written report within 24\n                               participating in the DoS.           hours.\n3            Malicious Code    Successful installation of          Daily\n                               malicious software (e.g., virus,\n                               worm, Trojan horse, or other        Note: Within 1 hour of\n                               code-based malicious entity)        discovery/detection if\n                               that infects an operating system    widespread across agency,\n                               or application. Components are      followed by written report\n                               NOT required to report              within 24 hours.\n                               malicious logic that has been\n                               successfully quarantined by\n                               antivirus software.\n4            Improper Usage    A person violates acceptable        Weekly\n                               computing use policies.\n5            Scans/Probes/     This category includes any          Monthly\n             Attempted         activity that seeks to access or\n             Access            identify a Department               Note: If system is\n                               computer, open ports, protocols,    classified, report within 1\n                               service, or any combination for     hour of discovery.\n                               later exploit. This activity does\n                               not directly result in a\n                               compromise or denial of service.\n6            Investigation     Unconfirmed incidents that are      Periodically as information\n                               potentially malicious or            is developed. This\n                               anomalous activity deemed by        category is for each\n                               the reporting entity to warrant     component\xe2\x80\x99s use in\n                               further review.                     categorizing a potential\n                                                                   incident that is currently\n                                                                   being investigated.\n\n\nU.S. Department of Justice                                                          111\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cCategory     Name              Description                       Reporting timeframe\n7            Spam              Commercial advertising,           Monthly\n                               inappropriate content, or other\n                               non-phishing spam.\n\n\n\n\nU.S. Department of Justice                                                   112\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c  APPENDIX XIII: OFFICE OF THE CHIEF INFORMATION OFFICER\n                         RESPONSE\n\n\n\n\nU.S. Department of Justice                            113\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cU.S. Department of Justice            114\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cU.S. Department of Justice            115\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c   APPENDIX XIV: OIG ANALYSIS OF THE OFFICE OF THE CHIEF\n              INFORMATION OFFICER RESPONSE\n\n\n       On May 4, 2007, the OIG sent copies of the draft report to the\nOffice of the Deputy Attorney General, the Privacy and Civil Liberties\nOffice of the Deputy Attorney General, the Office of the Chief Information\nOfficer (CIO), and the nine components involved in the review with a\nrequest for comments. In a memorandum dated May 25, 2007, the\nOffice of the CIO responded to the report\xe2\x80\x99s eight recommendations on\nbehalf of the Department of Justice (Department). As a result of that\nresponse, Recommendation 7 is closed, and Recommendations 1 through\n6 and 8 are resolved and remain open.\n\n       In addition to the comments received from the Office of the CIO, we\nreceived formal comments from the DEA and the USMS. We address\ntheir comments in Appendices XV through XVIII below. The Criminal\nDivision, EOUSA, the FBI, and the Tax Division sent informal comments\ndiscussing technical and factual matters, and we made revisions to the\nreport where appropriate to address these comments. ATF, the BOP, and\nJMD did not offer any technical or factual corrections to the report.\n\nSummary of the Office of the CIO Response and OIG Analysis\n\n     Recommendation 1. Require all components to ensure their\nprocedures cover reporting of after-hours incidents.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n       Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that the\nDepartment of Justice Computer Emergency Readiness Team (DOJCERT)\nwill update the Incident Response Plan template with procedures to cover\nreporting of after-hours incidents within 120 days.\n\n      OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. So that we may close this\nrecommendation, please provide the OIG with a copy of the revised\nIncident Response Plan template reflecting these updates by October 1,\n2007.\n\n      Recommendation 2. Review the components\xe2\x80\x99 procedures for\nreporting classified incidents to ensure those procedures comply\n\n\n\nU.S. Department of Justice                                            116\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cwith the standards in the Department\xe2\x80\x99s Security Program Operating\nManual.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n       Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that it would issue\na clarification to the components within 120 days to ensure their\nprocedures for reporting classified incidents comply with the standards\nin the Department\xe2\x80\x99s Security Program Operating Manual.\n\n       OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. So that we may close this\nrecommendation, please provide the OIG with a copy of the clarification\nto the components by October 1, 2007.\n\n      Recommendation 3. Clarify the requirement that all losses of\nPII be reported within 1 hour and to whom so that all Department\nemployees understand who to report to and when the 1-hour\ntimeframe begins and ends.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n      Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that it would work\nwith the Office of Management and Budget (OMB) and the United States\nComputer Emergency Readiness Team (US-CERT) to clarify the 1-hour\nreporting requirement. The Office of the CIO stated that existing\nDepartment documentation will be updated within 120 days to reflect the\nresults of these discussions.\n\n      OIG Analysis. The action proposed by the Office of THE CIO is\nresponsive to our recommendation. So that we may close this\nrecommendation, please provide the OIG with a copy of the revised\nIncident Response Plan template reflecting these updates by October 1,\n2007.\n\n      Recommendation 4. Ensure all components meet the\nestablished reporting timeframes.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n     Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that once it has\n\n\nU.S. Department of Justice                                           117\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0ccompleted the actions proposed for Recommendation 3, it will develop\nreporting metrics within the Archer Database to track the components\xe2\x80\x99\ncompliance with the reporting timeframes.\n\n       OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. Please provide by October 1, 2007,\nthe OIG with a description of the reporting metrics and the methods for\ncollecting the necessary information, printed screen views showing how\nthe Archer Database has been modified to incorporate the reporting\nmetrics, and a plan of action describing how DOJCERT will respond if\nthe reporting metrics indicate that a component is failing to meet the\nrequired timeframes. If these actions are not completed by October 1,\nplease provide the OIG with a status report at that time.\n\n      Recommendation 5. Promptly implement a Department-wide\npolicy for notifying affected individuals in the event of a loss of\npersonally identifiable information (PII).\n\n       Status. Resolved \xe2\x80\x93 open.\n\n      Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that it was working\nwith the Department\xe2\x80\x99s Privacy and Civil Liberties Office to develop a Data\nBreach Notification Policy. The Office of the CIO stated that it would\nissue the policy within 90 days.\n\n      OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. So that we may close this\nrecommendation, please provide the OIG with a copy of the Department\xe2\x80\x99s\nData Breach Notification Policy by October 1, 2007.\n\n       Recommendation 6. Develop a Department-specific definition\nof PII.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n      Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation, with reservations, stating that\nthe Department\xe2\x80\x99s Chief Privacy and Civil Liberties Officer had asked\nOMB specifically if the Department could develop its own definition of PII\nin response to this recommendation. OMB expressed reservations about\nthe Department\xe2\x80\x99s request. The Office of the CIO and the Department\xe2\x80\x99s\nChief Privacy and Civil Liberties Officer will continue working with OMB\non the issue.\n\n\nU.S. Department of Justice                                            118\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c      OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. Please provide the OIG with either a\nDepartment-specific definition of PII or a status report on the discussions\nwith OMB by October 1, 2007.\n\n      Recommendation 7. Consider whether any of the procedures\ndescribed as \xe2\x80\x9cBest Practices\xe2\x80\x9d should be implemented across the\nDepartment.\n\n       Status. Resolved \xe2\x80\x93 closed.\n\n       Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that it would review\nthe \xe2\x80\x9cBest Practices\xe2\x80\x9d identified in this report, as well as \xe2\x80\x9cBest Practices\xe2\x80\x9d\nidentified by other government agencies, and evaluate the feasibility of\nimplementing them across the Department. The Office of the CIO\nanticipated being able to complete this evaluation within 90 days.\n\n      OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. This recommendation is closed.\n\n      Recommendation 8. Ensure that components update their\ninternal policies to reflect correct reporting procedures in\nconformance with the DOJCERT Incident Response Plan template\nand contain up-to-date titles of internal departments and staff.\n\n       Status. Resolved \xe2\x80\x93 open.\n\n       Summary of the Office of the CIO Response. The Office of the\nCIO concurred with this recommendation and stated that it would work\nwith the components to ensure that the components\xe2\x80\x99 internal policies\nreflected correct procedures and current personnel. The Office of the CIO\nanticipated that it would complete this process within 120 days.\n\n       OIG Analysis. The action proposed by the Office of the CIO is\nresponsive to our recommendation. So that we may close this\nrecommendation, please provide the OIG with a certification from the\nOffice of the CIO confirming that all components have updated their\ninternal policies by October 1, 2007. If these actions are not completed\nby October 1, please provide the OIG with a status report at that time.\n\n\n\n\nU.S. Department of Justice                                             119\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                       APPENDIX XV: DEA RESPONSE\n\n\n\n\nU.S. Department of Justice                         120\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cU.S. Department of Justice            121\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cU.S. Department of Justice            122\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       APPENDIX XVI: OIG ANALYSIS OF THE DEA RESPONSE\n\n\n      In a memorandum dated May 25, 2007, the DEA responded to the\nOIG draft report. The DEA concurred with the majority of the OIG review\nresults and the recommendations made to the Department. The DEA\nalso provided comments on two technical and factual matters and made\none comment on the report\xe2\x80\x99s recommendations.\n\nSummary of DEA Response and OIG Analysis\n\n      Comment 1. The DEA stated that on page 58 of the report the OIG\nnoted that there were six incidents of PII losses at the DEA and two\nincidents involving losses of classified information. According to the\nDEA, its internal documents and DOJCERT and SEPS records showed\nthat only one incident involving classified information occurred during\nthe review period. Further, of the six incidents cited by the OIG as\ninvolving potential PII loss, only two were actual or suspected losses of\nPII. The DEA requested that we incorporate these revisions into the\nreport.\n\n       OIG Analysis. We declined to incorporate the DEA\xe2\x80\x99s suggested\nchanges into the report. The numbers that the DEA cites are not\nreflected in the DOJCERT\xe2\x80\x99s Archer Database, which we used for each of\nthe nine components reviewed in our analysis. To determine whether an\nincident involved actual or potential loss of PII, we relied on Archer\nDatabase records that showed whether components had responded \xe2\x80\x9cYes\xe2\x80\x9d\nor \xe2\x80\x9cUnknown,\xe2\x80\x9d respectively, when asked if an incident involved the loss\nof PII. To determine whether an incident potentially involved classified\ninformation, we relied on the incident descriptions in the database. In\nthis review, we did not verify the database\xe2\x80\x99s information with either\nDOJCERT or the components\xe2\x80\x99 internal records. However, we added a\nfootnote to the DEA appendix that includes the DEA\xe2\x80\x99s numbers and\nexplains why the OIG\xe2\x80\x99s methodology may have produced different\nnumbers.\n\n       Comment 2. The DEA stated that the report cites a DEA official as\nstating that \xe2\x80\x9c. . . in practice the Information Security Section Reports\nclassified incidents to DOJCERT, not SEPS, and relies on DOJCERT to\nreport those incidents to SEPS.\xe2\x80\x9d The DEA stated that it was unable to\nattribute this statement to any DEA official interviewed by the OIG. The\nDEA did acknowledge that its one classified incident was not directly\nreported to SEPS and should have been, but stated that it did not concur\nwith the inference that it willfully failed to follow policies and procedures\n\nU.S. Department of Justice                                               123\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cas a course of practice. Further, the DEA requested that all references to\nthe DEA\xe2\x80\x99s \xe2\x80\x9cpractice\xe2\x80\x9d of reporting loss of classified information to\nDOJCERT and not to SEPS be removed from the report.\n\n      OIG Analysis. Upon reviewing the notes of the original interview\nand a follow-up email sent to us by the subject of the interview, we found\nthat his comments could be subject to varying interpretations. We\nrevised the language on pages 60 and 61 of the report to clarify the\nmeaning of the information he provided.\n\n      Comment 3. The DEA stated that it \xe2\x80\x9cwould not concur with\nrecommendation number five [of the report] unless the definition of PII or\nthe notification policy itself provided for an exception to notification,\nwhere notification would compromise an ongoing law enforcement\ninvestigation or matters of national security.\xe2\x80\x9d\n\n       OIG Analysis. The Department\xe2\x80\x99s Privacy and Civil Liberties Office\nis circulating a draft Department-wide notification policy that should\naddress the DEA\xe2\x80\x99s concerns in this matter.\n\n\n\n\nU.S. Department of Justice                                            124\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c                     APPENDIX XVII: USMS RESPONSE\n\n\n\n\nU.S. Department of Justice                          125\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0cU.S. Department of Justice            126\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c       APPENDIX XVIII: OIG ANALYSIS OF THE USMS RESPONSE\n\n\n      In a memorandum dated May 25, 2007, the USMS responded to\nthe OIG draft report. The USMS concurred with the eight\nrecommendations in the report and provided a proposed action plan for\nthose recommendations that required component versus Department\naction. The USMS stated that it would take the following actions by the\nnoted dates for Recommendations 1, 2, and 8:\n\n   \xe2\x80\xa2   Recommendation 1 \xe2\x80\x93 The USMS will update its information\n       technology security policy no later than June 30, 2007, to include\n       the procedures to be followed for reporting computer security\n       incidents after hours.\n\n   \xe2\x80\xa2   Recommendation 2 \xe2\x80\x93 Because nothing in the report indicated that\n       there was a problem with USMS reporting procedures for classified\n       information, the USMS stated it has no action planned.\n\n   \xe2\x80\xa2   Recommendation 8 \xe2\x80\x93 The USMS will ensure that by no later than\n       June 30, 2007, the procedures issued by various organizations\n       within the agency do not have conflicting or inconsistent chain-of-\n       command reporting procedures and that staff titles and internal\n       department designations are correct.\n\n      While we appreciate the USMS response to the OIG\nrecommendations, the Office of the CIO is coordinating the resolution\nprocess on behalf of the components for all recommendations. Therefore,\nwe forwarded the USMS\xe2\x80\x99s response memorandum to the Office of the\nCIO.\n\n\n\n\nU.S. Department of Justice                                             127\nOffice of the Inspector General\nEvaluation and Inspections Division\n\x0c"